THE  THEORY  AND  APPLICATION  OF  PRIVACY-PRESERVING 

COMPUTATION 

DISSERTATION 

Michael  R.  Clark,  B.S.C.S.,  M.S.C.S. 

AFIT-ENG-DS  - 1 5-M-0 1 3 


DEPARTMENT  OF  THE  AIR  FORCE 
AIR  UNIVERSITY 

AIR  FORCE  INSTITUTE  OF  TECHNOLOGY 


Wright-Patterson  Air  Force  Base,  Ohio 


DISTRIBUTION  STATEMENT  A. 

APPROVED  FOR  PUBEIC  REEEASE;  DISTRIBUTION  UNEIMITED 


The  views  expressed  in  this  dissertation  are  those  of  the  author  and  do  not  reflect  the  official 
policy  or  position  of  the  United  States  Air  Force,  the  Department  of  Defense,  or  the  United 
States  Government. 

This  material  is  declared  a  work  of  the  U.S.  Government  and  is  not  subject  to  copyright 
protection  in  the  United  States. 


AFIT-ENG-DS- 1 5-M-0 13 


THE  THEORY  AND  APPEICATION  OP  PRIVACY-PRESERVING  COMPUTATION 


DISSERTATION 


Presented  to  the  Paculty 

Graduate  School  of  Engineering  and  Management 
Air  Porce  Institute  of  Technology 
Air  University 

Air  Education  and  Training  Command 
in  Partial  Pulfillment  of  the  Requirements  for  the 
Degree  of  Doctor  of  Philosophy 


Michael  R.  Clark,  B.S.C.S.,  M.S.C.S. 

March  2015 


DISTRIBUTION  STATEMENT  A. 

APPROVED  POR  PUBEIC  REEEASE;  DISTRIBUTION  UNEIMITED 


AFIT-ENG-DS- 1 5-M-0 13 


THE  THEORY  AND  APPEICATION  OP  PRIVACY-PRESERVING  COMPUTATION 


Michael  R.  Clark,  B.S.C.S.,  M.S.C.S. 


Dr.  Kenneth  M.  Hopkinson  (Chairman) 


Maj  Thomas  E.  Dube,  PhD  (Member) 


Dr.  Mark  E.  Oxley  (Member) 


Dr.  Adedeji  B.  Badiru 

Dean,  Graduate  School  of  Engineering  and  Management 


AFIT-ENG-DS- 1 5-M-0 13 

Abstract 

Privacy  is  a  growing  concern  in  the  digital  world  as  more  information  becomes  digital 
every  day.  Often,  the  implications  of  how  this  information  could  be  exploited  for  nefarious 
purposes  are  not  explored  until  after  the  fact.  The  public  is  becoming  more  concerned 
about  the  proliferation  of  private  data.  An  example  of  their  concern  comes  from  2009 
Dutch  legislation  which  rejected  the  deployment  of  smart  meters  due  to  privacy  concerns 
of  the  fine-grained  information  reporting  necessary  for  the  smart  grid.  Yet,  there  are  clear 
benefits  of  the  smart  grid  that  are  lost  when  smart  metering  is  not  available.  This  is  true 
of  many  applications  which  require  sensitive  information  to  achieve  their  purposes.  End- 
to-end  encryption  can  only  go  so  far  in  protecting  this  information.  Trusted  third  parties 
could  be  used  to  assist  in  the  processing,  but  they  are  difficult  to  find  in  large  systems  and 
represent  a  single  point  of  failure. 

The  security  community  has  long  argued  for  the  principle  of  least  privilege  access. 
In  other  words,  access  to  sensitive  information  should  only  be  granted  if  it  is  absolutely 
necessary  to  perform  the  task  at  hand.  Interestingly,  in  some  applications  today  requiring 
access  to  sensitive,  personal  data,  it  is  not  the  actual  data  the  involved  parties  need,  but 
instead  some  function  (e.g.,  sum,  mean  or  standard  deviation)  of  the  data  is  needed.  To 
follow  the  principle  of  least  privilege  access  would  be  to  only  reveal  the  output  of  functions 
of  the  data,  not  the  data  themselves.  Yet  such  an  idea  can  seem  paradoxical. 

Solutions  to  this  problem,  referred  to  as  privacy-preserving  computation  have  existed 
since  the  1980’s.  While  initially,  mostly  theoretical,  the  solutions  have  been  researched 
extensively  since  their  original  proposals,  and  mature  enough  to  be  used  in  certain  practical 
circumstances.  Yet  existing  protocols  are  still  too  inefficient  for  wide  scale  deployment  in 
large  systems,  as  described  in  this  dissertation.  This  dissertation  presents  a  new  technique 


IV 


for  privacy-preserving  computation,  which  enables  more  scalable  systems  in  a  number  of 
application  scenarios. 

Specifically,  this  dissertation  proposes  a  new  paradigm  for  privacy-preserving 
computation  called  transferable  multiparty  computation  (T-MPC).  Protocols  for  T-MPC  in 
both  the  honest-but-curious  (or  semi-honest)  and  malicious  adversary  models  are  presented. 
These  protocols  are  studied  in  two  application  scenarios,  namely  smart  metering  and 
decentralized  reputation  systems.  In  both  applications,  T-MPC  enhances  the  systems.  In 
smart  metering,  T-MPC  enables  massively  scalable,  in-network  computations  on  private 
data.  In  decentralized  reputation  systems,  T-MPC  increases  availability  of  reputation 
information  via  privacy-preserving  delegation.  Finally,  the  T-MPC  protocols  are  compared 
with  protocols  from  other  privacy-preserving  computational  paradigms  to  see  how  their 
efficiencies  change  when  switching  from  honest-but-curious  to  malicious  model  protocols. 
This  is  important  to  understand  as  privacy-preserving  computation  techniques  become 
more  widely  used  by  industry  and  system  designers  have  to  decide  which  adversary  model 
to  operate  under. 
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THE  THEORY  AND  APPEICATION  OP  PRIVACY-PRESERVING  COMPUTATION 


I.  Introduction 


1.1  Motivation 

Whether  in  business,  government,  or  the  military,  information  can  be  exploited  to 
gain  a  competitive  advantage.  Each  and  every  day,  more  information  is  exploited  to  make 
systems  more  efficient,  more  accurate,  and  more  reliable.  Consider  two  simple  examples. 
A  user’s  or  product’s  reputation,  as  determined  by  other  users’  feedback,  is  an  often  used 
measure  when  purchasing  products  online.  This  type  of  information  has  become  almost 
ubiquitous  in  online  purchasing.  A  similar  feedback  mechanism  is  also  used  in  a  number 
of  distributed  systems  in  a  more  decentralized  fashion.  When  one  node,  say  rig,  needs  to 
interact  with  another,  say  rit,  rig  can  query  its  neighbors  to  find  out  how  much  they  trust 
rit,  and  therefore,  come  up  with  a  reputation  for  rit.  Another  example  is  the  smart  grid. 
The  smart  grid  exploits  fine-grained  data  from  consumers,  suppliers,  etc.  to  enhance  the 
grid.  A  common  scenario  in  the  smart  grid  is  to  have  each  household’s  meter  report  their 
instantaneous  usage  back  to  the  supplier.  This  information  can  be  exploited  at  a  supplier 
or  distributor  to  better  optimize  generation,  distribution,  or  to  aid  in  purchasing  or  selling 
excess  production. 

The  increased  gathering  and  use  of  information  comes  with  tradeoffs.  Often,  privacy 
is  traded  or  forfeited  in  order  to  achieve  the  benefits  described  above.  Privacy  is  one’s 
ability  to  control  what  information  is  collected  about  them  and  how  it  is  used.  In  reputation 
system,  compromised  privacy  can  lead  to  incentives  to  not  be  truthful  when  providing 
feedback  in  order  to  avoid  retribution.  The  compromise  of  privacy  can  diminish  the  utility 
of  the  entire  system.  In  the  smart  grid,  the  gathered  information  can  leak  other,  unintended 
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information.  Researchers  using  this  type  of  information  have  demonstrated  that  it  can 
determine  information  such  as  whether  or  not  someone  is  home,  how  many  people  live  in  a 
house,  and  what  appliances  are  in  use  [1,  2].  Figure  1.1  shows  a  graphical  example  of  this. 
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Figure  1.1:  Example  of  private  data  leaked  by  smart  meter  reporting  [2]. 


These  two  examples  are  a  small  sample  of  how  privacy  considerations  can  have  real- 
world  consequences.  For  better  or  for  worse,  it  appears  that  the  growth  in  the  amount  of 
private  data  being  collected  will  continue  to  grow  for  the  forseeable  future.  Therefore, 
it  is  imperative  that  users  be  empowered  with  the  ability  to  control  their  privacy.  There 
are  many  areas  in  which  privacy  is  needed,  and  targeted  solutions  are  being  developed  for 
specific  domains.  The  most  visible  area  is  in  limiting  what  companies  are  able  to  collect 
on  users’  online  browsing.  These  are  typically  distributed  as  browser  extensions  for  all 
the  popular  web  browsers.  They  work  by  blocking  certain  code  from  executing  within  the 
browser,  code  that  has  been  determined  by  experts  to  violate  privacy  in  some  manner.  A 
major  problem  with  these  sorts  of  products  is  that  they  completely  block  access  to  private 
data.  In  the  two  examples  above,  private  data  is  necessary  for  the  systems  to  function.  This 
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dissertation  deals  with  what  to  do  in  cases  like  that,  where  private  data  is  necessary  for  a 
system  to  function. 

1.1.1  Solution  Techniques. 

What  if  there  were  a  way  to  still  enable  the  sorts  of  benefits  gained  by  having 
such  sensitive  information  but  still  limit,  to  the  maximum  extent  possible,  the  disclosure 
of  unnecessary  information?  Researchers  have  been  working  on  techniques  to  enable 
that  since  the  1980’s.  Broadly,  this  body  of  work  is  referred  to  as  privacy-preserving 
computation.  Privacy-preserving  computation  stems  from  the  observation  that,  in  many 
applications,  interested  parties  do  not  need  to  know  the  inputs  of  the  other  participants,  but 
rather  they  need  to  know  a  function  of  those  inputs.  In  both  of  the  example  applications 
outlined  previously,  the  interested  party  really  only  needs  to  learn  statistics  on  the  inputs 
(e.g.,  mean  or  standard  deviation).  Privacy-preserving  computation  allows  one  to  better 
practice  the  principle  of  least  privilege,  that  is,  that  a  node  should  be  given  access  to 
only  the  minimal  amount  of  information  necessary  to  do  its  job.  In  both  of  the  example 
applications,  this  could  be  achieved  by  allowing  the  interested  party  to  only  learn  some 
predefined  function  of  the  inputs  (e.g.,  the  standard  deviation  of  power  consumption  in  a 
neighborhood  or  the  average  reputation  of  n,  as  determined  by  the  neighbors  of  n^). 

Three  primary  classes  of  techniques  have  emerged  in  the  privacy-preserving  compu¬ 
tation  literature.  The  following  sections  describe  the  techniques  and  the  scenarios  where 
they  are  best  used  as  well  as  review  information  from  the  literature  on  their  related  efficien¬ 
cies.  The  contributions  of  this  work  is  primarily  focused  on  the  second,  secure  multiparty 
computation. 

1.1.1. 1  Homomorphic  Encryption. 

In  mathematics,  a  homomorphism  is  a  structure  preserving  map  between  two  algebraic 
structures.  For  example,  consider  the  function  f  :  G  ^  H  where  G  and  H  are  groups  under 
the  operations  -i-  and  ffl,  respectively.  /  is  called  a  homomorphism  if  f(x  +  y)  =  f(x)  ffl  f(y) 
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for  all  6  G.  If  /  is  a  trapdoor  function  (i.e.,  one  that  is  easy  to  eompute  in  the  forward 
direetion,  but  hard  to  invert  without  speeial  information),  then  /  would  be  a  homomorphie 
eipher.  In  partieular,  given  eneryptions  of  values,  e.g.  f{x)  and  f(y),  homomorphie 
eneryption  allows  one  to  eompute  f{x  +  y),  or  an  eneryption  of  a:  +  y.  Sueh  a  eipher  would 
be  ealled  partially  homomorphie  with  respeet  to  addition.  An  example  of  such  a  cipher 
used  in  praetiee  is  the  Paillier  eryptosystem  [3].  The  ElGamal  eipher  is  an  example  of  a 
multiplieatively  homomorphie  eipher  [4]. 

In  the  late  1970’s,  Rivest  et  al.  proposed  the  notion  of  a  privaey  homomorphism  (whieh 
is  the  same  as  a  homomorphie  eipher)  and  postulated  that  a  so-ealled  fully  homomorphie 
eipher  eould  be  eonstrueted  [5].  While  partially  homomorphie  eiphers  ean  only  eompute 
a  limited  set  of  funetions  on  enerypted  data,  a  fully  homomorphie  eipher  eould  eompute 
any  funetion.  Rivest  et  al.  left  the  eonstruetion  of  sueh  a  eipher  as  an  open  problem  in 
eryptography,  whieh  remained  an  open  problem  for  another  three  deeades.  Researehers 
proposed  several  eandidate  eonstruetions  during  those  three  deeades,  but  eaeh  was  broken 
by  the  eryptographie  eommunity. 

Finally,  in  2009,  Craig  Gentry  proposed  a  fully  homomorphie  eipher  based  on  ideal 
lattiees  with  a  sufReient  seeurity  reduetion  to  known  hard  problems  to  theoretieally  solve 
the  open  problem  [6].  While  this  represented  a  major  breakthrough  in  the  aeademie 
eryptographie  eommunity,  the  praetieal  results  were  still  greatly  laeking.  In  Gentry’s 
original  system,  publie  keys  were  on  the  order  of  gigabytes  in  size,  eiphertexts  were 
also  very  large.  Furthermore,  Gentry’s  system  required  an  expensive  operation  ealled 
bootstrapping.  Sinee  his  original  proposal.  Gentry  and  other  researehers  have  developed 
mueh  more  effieient  systems.  Currently,  fully  homomorphie  eiphers  are  still  slow,  but  eould 
be  run  on  powerful  enough  maehines  to  evaluate  eomplieated  programs,  given  enough  time. 
Gentry  et  al.  reeently  implemented  the  AFS  eireuit  using  many  of  these  advanees  in  the 
fully  homomorphie  eneryption  (FHE)  literature  [7].  In  other  words,  they  eould  evaluate 
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AES  homomorphically,  where  the  key,  the  ciphertext,  and  the  resulting  plaintext  (from  a 
decryption  operation)  were  all  privacy  protected  via  the  homomorphic  cipher.  They  found 
that  it  took  approximately  36  hours  to  run  through  the  entire  AES  operation.  Using  a 
certain  optimization  which  allows  for  SIMD  (single  instruction,  multiple  data)  operations, 
this  yields  an  amortized  rate  of  around  40  minutes  per  block. 

Considerable  work  remains  to  make  EHE  fast  enough  for  real-time  use.  Significant 
advances  in  recent  years  make  EHE  possible  in  real-world  applications  where  security  and 
privacy  trump  efficiency.  Partially  homomorphic  ciphers,  however,  such  as  Paillier  and 
ElGamal,  are  quite  efficient  and  have  seen  use  in  real-world  systems. 

1. 1.1.2  Secure  Multiparty  Computation. 

Around  the  same  time  Rivest  was  looking  at  privacy  homomorphisms,  which  led  to 
research  in  homomorphic  encryption,  Yao  was  exploring  a  related  notion  for  distributed 
computation.  In  his  seminal  work,  Yao  proposed  a  problem  which  involves  two  millionaires 
who  wish  to  know  who  is  richer,  yet  do  not  want  to  reveal  how  much  they  are  worth  [8]. 
This  formed  a  basis  for  decades  of  research  known  as  secure  multiparty  computation  (MPC 
or  SMC).  The  goal  of  MPC  is  to  solve  the  general  problem  of  a  set  of  parties,  each  with 
private  inputs  to  a  computation,  who  wish  to  compute  some  joint  function  of  their  inputs 
without  revealing  the  inputs.  The  problem  did  not  remain  open  in  the  theoretical  sense  for 
very  long,  with  initial  solutions  coming  only  a  few  years  later  [9-1 1]. 

Since  the  initial  solutions  in  the  late  1980’s,  researchers  in  the  MPC  community 
have  explored  various  optimizations,  stronger  adversary  models,  and  better  security  proof 
techniques.  Today,  MPC  is  very  fast.  While  Gentry  et  al.  were  exploring  implementing 
AES  using  homomorphic  encryption,  Damgard  et  al.  implemented  AES  via  MPC  [12]. 
They  found  they  could  evaluate  AES  in  less  than  half  a  second  per  block.  In  Section  1. 1. 2 
explores  some  real-world  use  cases  involving  MPC. 
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1.1. 1.3  Functional  Encryption. 


In  2010,  Boneh  et  al.  formalized  a  new  cryptographic  primitive  called  functional 
encryption  [13].  Functional  encryption  has  its  roots  in  identity -based  encryption  (IBE)  and 
attribute -based  encryption  (ABE).  In  2005,  Sahai  and  Waters  proposed  the  first  complete 
IBE  system  [14].  IBE  systems  allow  users  to  use  their  identity  (e.g.,  email  address  or 
fingerprint)  as  their  public  key  and  retrieve  the  secret  key  associated  with  that  identity  by 
proving  ownership  of  the  identity  to  a  trusted  third  party.  The  benefit  of  this  is  anyone 
who  knows  your  identity  can  send  you  encrypted  messages,  even  if  you,  at  the  moment  the 
message  was  sent,  do  not  have  your  secret  key.  ABE  replaces  identities  with  attributes. 
These  attributes  form  a  person’s  private  key.  A  message  is  encrypted  using  a  specific 
access  policy  over  the  attributes,  and  only  someone  holding  the  private  key  that  satisfies 
the  policy  can  decrypt  the  message.  Eor  example,  in  order  to  decrypt  the  message  you 
must  have  the  AFIT  attribute  and  either  the  Ph.D.  Student  attribute  or  the  Faculty  attribute. 
Therefore,  someone  with  the  attribute  set  [AFIT,  Staff}  in  their  private  key  could  not  decrypt 
the  message. 

Eunctional  encryption  (EE)  is  defined  as  a  cryptosystem  in  which  the  secret  key 
determines  what  functions  of  the  encrypted  plaintext  a  person  can  learn.  The  holder  of  the 
secret  key  learns  the  output  of  the  function  when  run  on  the  encrypted  inputs  and  nothing 
else.  Both  IBE  and  ABE  can  be  implemented  given  a  EE  cryptosystem,  but  EE  is  clearly 
more  powerful  as  it  is  the  more  generic  construct.  Eor  example,  your  private  key  could  give 
you  access  to  the  mean  or  standard  deviation  of  an  encrypted  data  set.  The  relationship  to 
privacy-preserving  computation  is  clear. 

Early  EE  systems  could  only  support  limited  functionalities  (e.g.,  boolean  formulas). 
Recent  breakthroughs  have  made  it  possible  to  have  EE  for  arbitrary  functionalities  [15- 
17].  This  brings  EE  to  the  same  level  as  EHE  and  MFC  in  terms  of  theoretical  functionality. 
Implementation  results  of  EE  ciphers  are  not  widely  available  in  the  published  literature. 
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Naveed  et  al.  recently  published  results  on  a  variant  of  FE  called  controlled  functional 
encryption  (C-FE)  and  found  that  a  single  block  of  AES  run  via  C-FE  took  approximately 
three  minutes  to  run  [18].  C-FE  differs  from  FE  in  that  it  requires  the  user  to  obtain  a  fresh 
key  from  the  authority  every  time  it  evaluates  a  function  on  a  ciphertext.  FE  supports  a 
number  of  very  interesting  constructs  and  is  an  important  theoretical  break-through.  As  the 
community  gains  a  better  understanding  of  the  capabilities  of  FE,  it  may  become  a  viable 
option  for  privacy-preserving  computation. 

1.1.2  Application  Domains. 

Both  homomorphic  encryption  and  secure  multiparty  computation  have  been  applied 
to  real-world  privacy  issues.  This  section  describes  other  application  areas  where  privacy 
needs  have  been  explored  and  solutions  have  been  proposed  which  use  the  building  blocks 
described  above.  The  purpose  of  this  section  is  to  illustrate  the  wide  applicabilty  of  privacy¬ 
preserving  computation  research  in  general  and  explore  application  domains  to  which  T- 
MPC  could  be  applied  in  future  work. 

1. 1.2.1  Electronic  Voting. 

Cramer  et  al.  list  three  important  properties  of  private  electronic  voting  schemes  [19]. 

•  Verifiability:  Any  party  should  be  able  to  verify  that  the  final  vote  tally  was  computed 
correctly  from  all  the  ballots  that  were  correctly  cast. 

•  Privacy:  An  individual’s  vote  is  kept  secret  from  any  reasonably  sized  group  of 
parties. 

•  Robust:  The  system  can  recover  from  faulty  behavior  of  parties  involved  in  the 
election. 

Most  existing  systems,  unfortunately,  do  not  meet  any  of  the  three  requirements 
above.  Researchers,  using  techniques  from  privacy-preserving  computation,  have  proposed 
numerous  electronic  voting  schemes  which  do  meet  the  properties  listed  above.  Benaloh 
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proposed  a  system  for  tally-votes  (i.e.,  yes/no  votes)  which  uses  many  of  the  building  blocks 
used  in  today’s  MPC  protocols,  including  (verifiable)  secret  sharing  [20].  Cramer  et  al. 
proposed  a  scheme  for  similar  elections  using  a  variant  of  homomorphic  encryption  [19]. 
Baudron  et  al.  proposed  a  scheme  for  multi-candidate  elections  (as  opposed  to  simple 
yes/no  votes)  that  uses  homomorphic  encryption  [21].  MPC  has  not  been  directly  applied 
in  multi-candidate  election  systems,  it  is  not  hard  to  imagine  how  such  a  system  could 
be  constructed.  Enumerating  all  of  the  proposed  electronic  voting  schemes  is  out  side  the 
scope  of  the  objective  here,  but  one  very  mature  electronic  voting  system  worth  mentioning 
is  the  Helios  voting  system  [22].  The  Helios  voting  system  uses  homomorphic  encryption 
as  well  as  a  number  of  other  cryptographic  primitives  to  provide  specific  security  properties. 
It  has  been  used  in  a  number  of  elections  including  the  International  Association  for 
Cryptologic  Research’s  annual  elections  since  2010  and  was  used  in  campus-wide  elections 
for  student  body  president  at  Belgium’s  Universite  Catholique  de  Louvain.  The  Helios 
project’s  website  reports  that  over  100,000  votes  have  been  cast  using  Helios. 

1. 1.2.2  Location-based  Services. 

With  the  proliferation  of  mobile  devices  with  fine-grained  geolocation  (typically 
via  the  global  positioning  satellite  system),  location-based  services  have  increased  in 
popularity  [23].  In  a  dataset  of  over  310,000  apps  from  the  Google  Play  Store, 
approximately  30%  of  the  apps  requested  fine  location  information.  Also,  four  out  of  the 
top  ten  free  Android  apps  (accessed  on  5  December  2014)  in  the  Play  Store  requested  fine 
location  information. 

A  person’s  current  location,  or  historical  location  information,  may  reveal  a  lot 
about  the  person.  Researchers  have  already  begun  exploiting  this  information  in  order 
to  optimize  services  and  protocols  [24-26].  Bettini  et  al.  studied  the  privacy-related 
issues  associated  with  location  information  and  suggested  that,  given  some  amount  of 
historical  location  information,  people  can  be  uniquely  identified  [27].  Additionally, 
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researchers  have  developed  a  number  of  protocols  to  deal  with  the  privacy  issues.  Relating 
specifically  to  privacy-preserving  computation,  Zhong  et  al.  [28]  and  Solanas  et  al.  [29] 
each  proposed  protocols  which  use  partially  homomorphic  encryption  to  solve  the  privacy 
problem.  Researchers  have  also  explored  proximity  testing  protocols,  which  allow  two 
people  to  determine  if  they  are  within  some  distance  of  each  other  [30,  31].  All  of  these 
protocols  could  theoretically  be  instantiated  with  MPC  techniques,  though  some  authors 
have  suggested  that  specialized  protocols  are  faster. 

1.1.2. 3  Medical  Information. 

Vanacek  [32]  summed  up  the  trend  and  threat  in  the  medical  community  earlier  this 
year  when  she  wrote: 

In  ten  years,  eighty  percent  of  the  work  people  do  in  medicine  will  be  replaced 
by  technology.  And  medicine  will  not  look  anything  like  it  does  today...  It  was 
estimated  that  90%  of  all  healthcare  institutions  will  experience  a  data  breach 
of  some  kind.  Many  already  have.  Each  breach  costs  about  $2M  in  fines,  not 
to  mention  the  loss  of  privacy  and  other  incalculable  costs  to  the  patient. 

Traditional  information  security  can  go  a  long  way  in  the  medical  community  in 
protecting  private  information  but  judicious  application  of  privacy-preserving  computation 
techniques  can  make  a  huge  difference  in  limiting  risk  to  providers  and  consumers. 
Researchers  in  the  community  have  begun  looking  at  applying  these  techniques  to  specific 
problems.  This  includes  protocols  that  operate  on  DNA  sequences  [33-36]  and  protocols 
for  classifying  electrocardiogram  (ECG)  data  for  disease  detection  [37,  38]. 

These  sorts  of  medical  applications  are  very  interesting  as  there  are  many  competiting 
interests  at  play.  Everyone  wants  the  best  possible  diagnoses.  Patients  want  their 
private  data  protected,  but  that  private  data  can  be  used  to  make  future  diagnoses  better. 
Eurthermore,  there  are  medical  research  companies  that  are  developing  algorithms  for 
better  detection.  They  want  to  keep  their  proprietary  algorithms  safe  to  maintain  a 
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competitive  advantage.  There  are  even  malicious  actors  who  would  try  to  compromise 
data  or  algorithms  for  their  own  benefit.  The  examples  cited  above  all  use  various 
privacy-preserving  computation  techniques,  from  homomorphic  encryption  to  multiparty 
computation,  to  enable  privacy  while  not  forgoing  the  advances  that  are  possible  if  privacy 
were  not  a  concern. 

1.2  Contributions 

The  objective  addressed  in  this  research  effort  is  to 

1.  develop  new  protocols  for  privacy  preserving  computation  and  formally  prove  their 
security, 

2.  show  how  these  protocols  can  make  privacy  preserving  computation  in  the  smart  grid 
orders  of  magnitude  more  efficient  than  existing  protocols  and 

3.  show  how  the  protocols  can  be  used  to  enhance  existing  work  in  decentralized 
reputation  systems,  and 

4.  illustrate  the  benefits  of  the  protocols  in  terms  of  the  tradeoffs  associated  with 
adversary  models. 

1.3  Objectives 

1.3.1  New  Protocols. 

Existing  protocols  which  use  homomormorphic  encryption  for  privacy  preserving 
computation  do  not  scale  well  [39].  For  example,  in  a  smart  meter  network  used  to  privately 
compute  the  sum  of  every  meter’s  usage  at  an  interval  of  60  seconds,  under  the  malicious 
model,  networks  of  around  50  meters  is  all  that  can  be  supported.  An  honest-but-curious 
model  protocol  can  support  around  300  meters.  Secure  multiparty  computation  protocols 
(MFC)  are  more  efficient  but  still  do  not  scale  well  to  the  types  of  networks  expected  in 
practice. 
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Objective  #1:  Propose  new,  more  flexible  protoeols  for  doing  generic  privacy 
preserving  computation.  Given  MPC  is  more  efficient  than  homomorphic  en¬ 
cryption,  these  protocols  will  build  upon  existing  MPC  techniques.  Protocols 
in  both  the  honest-but-curious  and  the  malicious  adversary  models  are  pro¬ 
posed.  Their  security  is  formally  proven  according  to  their  respective  adver¬ 
sary  models. 

1.3.2  Applications. 

While  privacy  preserving  computation  techniques  have  existed  for  decades,  industry 
is  only  now  beginning  to  turn  to  these  methods  to  assist  in  securing  their  systems.  This  is 
primarily  because  the  proposed  protocols  are  only  now  becoming  efficient  enough. 

Objective  #2:  Demonstrate  the  benefits  of  the  proposed  protocols  by  studying 
two  applications,  smart  metering  and  the  decentralized  reputation  systems. 

For  each  application,  system  models  help  to  contrast  existing  protocols  with 
the  proposed  protocols  to  understand  the  benefits  of  T-MPC.  The  smart  grid 
example  illustrates  scalability  of  the  network.  The  decentralized  reputation 
system  example,  illustrates  adding  new  functionality  to  make  the  system  more 
stable. 

1.3.3  Adversary  Model  Tradeoffs. 

An  often  overlooked  aspect  of  deploying  privacy  preserving  computation  is  the  choice 
of  adversary  model.  The  adversary  model  can  have  a  big  impact  on  the  security  of 
the  system  in  the  real  world.  In  the  smart  grid  literature,  a  number  of  smart  metering 
papers  suggest  the  use  of  anti-tamper  mechanisms  in  order  to  justify  using  a  weaker 
adversary  model.  This  is  due  to  the  fact  that  the  meters  are,  in  a  sense,  located  in  hostile 
environments  since  their  physical  security  is  not  guaranteed.  A  similar  problem  could 
arise  if  a  decentralized  reputation  system  is  deployed  on  a  wireless  sensor  network.  Little 
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attention  has  been  payed  to  the  tradeoffs  of  different  adversary  models  and  how  extra 
assumptions,  such  as  anti-tamper,  change  these  tradeoffs. 

Objective  #3:  Develop  a  method  for  understanding  the  tradeoffs  between 
adversary  models. 

1.4  Document  Organization 

Chapter  2  presents  the  background  information  needed  to  understand  the  remainder 
of  the  prospectus.  Chapter  3  presents  work  related  to  Objective  #1  in  developing 
new  protocols  for  privacy  preserving  computation.  Chapter  4  presents  work  related  to 
application  of  T-MPC,  which  is  described  in  Objective  #2.  Chapter  5  presents  work  related 
to  adversary  modeling  described  in  Objective  #3. 
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II.  Preliminaries  and  Related  Work 


This  chapter,  presents  the  background  information  necessary  to  understand  the 
remainder  of  the  dissertation.  Furthermore,  the  information  presented  in  this  chapter  serves 
as  a  discussion  of  related  works  upon  which  this  research  builds.  This  will  help  the  reader 
to  understand  the  contributions  to  the  research  area. 

2.1  Adversary  Modeling 

There  are  two  primary  adversary  models  seen  throughout  the  privacy  preserving 
computation  literature,  the  honest-but-curious  (HbC)  model,  which  is  sometimes  referred 
to  as  semi-honest,  and  the  malicious  model  [40].  In  the  HbC  model,  adversaries  follow  the 
protocol  exactly  as  specified.  For  example,  an  HbC  adversary  in  the  smart  grid  application 
would  always  use  the  correct  input.  The  corrupt  parties  do,  however,  collude  by  using 
information  gathered  during  the  execution  of  the  protocol  to  attempt  to  violate  an  honest 
party’s  privacy. 

The  malicious  adversary  model  represents  the  other  end  of  the  spectrum  in  privacy 
preserving  computation.  Malicious  adversaries  will  deviate  from  the  protocol  in  any  way  to 
attempt  to  violate  another’s  privacy.  An  example  of  this  would  be  using  non-random  values 
when  the  protocol  specifies  random  numbers  or  having  all  corrupt  parties  collaborate  to 
choose  their  random  values.  This  model  is  much  stronger  than  the  HbC  model  because 
it  makes  fewer  assumptions  about  adversary  behavior.  That  comes  at  a  cost,  usually  in 
efficiency  and  more  complex  cryptographic  protocols. 

Another  common  assumption  related  to  adversary  models  seen  throughout  the 
literature  is  an  assumption  on  the  number  of  corrupt  parties  in  a  given  protocol  execution. 
Many  protocols  that  use  homomorphic  encryption  are  able  to  achieve  full  threshold 
security.  In  other  words,  such  protocols  can  guarantee  security  as  long  as  there  is  at  least 
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one  non-corrupt  party.  Multiparty  computation  (MPC)  protocols  have  traditionally  required 
lower  thresholds.  For  example,  with  HbC  an  often  made  assumption  is  that  fewer  than  half 
of  the  parties  are  corrupt.  In  the  malicious  model,  the  assumption  is  often  that  less  than 
a  third  are  corrupt.  More  recent  MPC  protocols  are  able  to  achieve  full  threshold  security 
but  at  the  expense  of  requiring  computationally  expensive  operations  (e.g.,  zero-knowledge 
proofs). 

2.2  Homomorphic  Encryption  with  the  Paillier  Cryptosystem 

Homomorphic  encryption  is  a  special  encryption  paradigm  which  can  enable  privacy 
preserving  computation.  It  allows  an  untrusted  party  to  perform  operations  on  ciphertexts 
such  that  it  has  a  well-defined  effect  on  plaintexts.  For  example,  given  the  encryptions  of 
two  values,  say  &{x\),&{x2),  computing  some  operation  on  the  ciphertexts,  say  ffl,  results 
in  addition  of  the  plaintexts.  Mathematically,  this  is  &{xi )  ffl  &{x2)  =  G(xi  +X2).  Decrypting 
the  results  reveals  Xi  -1-  X2.  Note  that  this  requires  no  knowledge  of  Xi  or  X2.  Fully 
homomorphic  encryption  is  a  cipher  that  supports  addition  and  multiplication  and  allows 
us  to  compute  any  function.  Existing  FHE  ciphers  (e.g..  Gentry’s  original  work  [6]  and  the 
BGV  cipher  [41])  are  still  not  efficient  enough  to  be  considered  for  practical  applications 
involving  large  numbers  of  parties. 

The  primary  cipher  used  in  this  work  is  the  Paillier  cipher  [3].  This  cipher  is  additively 
homomorphic,  meaning  it  supports  addition  operations  on  the  plaintext  values  using  only 
ciphertexts.  Below  is  a  description  of  a  simplified  version  of  the  Paillier  cipher  and  a 
description  of  how  to  perform  the  additive  homomorphic  operation.  A  public  key  cipher 
consists  of  three  routines:  KeyGen  which  generates  a  public  and  a  private  key,  Enc  which 
returns  a  ciphertext  given  the  public  key  and  a  message,  and  Dec  which  returns  a  message 
given  a  ciphertext  and  the  private  key.  The  mathematics  of  each  routine  is  given  below. 
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Routine  KeyGen 

1.  Let  p,  q  be  large  primes  of  the  same  size. 

2.  pq,  A  ^  (p(n)  =  (p  -  l)(q  -  1) 

3.  g  <—  n  +  1,  yu  mod  n 

4.  Encryption  (public)  key  Kg  =  {n,g).  Decryption  (private)  key  =  iA,p) 

Routine  Enc 

Given:  Plaintext  m  and  Kg  =  {n,  g) 

1 .  Choose  at  random  r  6  Z* 

2.  Ciphertext  c  g'^  ■  r"  mod 

Routine  Dec 

Given:  Ciphertext  c  6  Z*2  and  =  (d,  p) 

1.  Message  m  <—  L{c^  mod  n^)  ■  p  mod  n 
Where  L{u)  returns  the  quotient  of  (u  -  l)/n. 


2.3  Secure  Multiparty  Computation  Protocols 

Multiparty  computation  (MPC)  was  first  introduced  in  the  80’s  with  solutions  to  the 
problem  falling  into  two  main  classes,  1)  garbled  circuits  [9]  and  2)  secret  sharing,  both 
in  the  computational  setting  [10]  and  in  the  information  theoretic  setting  [11].  MPC  deals 
with  the  problem  of  having  parties  pi, . . .  ,pn  with  inputs  xi, . .  .,Xn  who  wish  to  compute 
some  function  of  their  inputs,  say  /(jci, . . . ,  Xn),  without  revealing  their  individual  inputs. 
The  output(s)  of  the  function  is  revealed  to  potentially  any  group  of  the  parties  or  even 
authorized  third  parties.  The  focus  of  this  work  is  on  the  secret  sharing  variant  of  MPC, 
and  in  particular,  the  information  theoretic  setting  with  honest  majority.  These  protocols 
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are  simpler,  but  the  general  general  ideas  behind  T-MPC  can  easily  be  extended  to  other 
settings  (e.g.,  dishonest  majority  with  computational  security). 

Below  is  an  overview  of  MPC  that  outlines  a  generic  MPC  protocol.  For  simplicity, 
some  of  the  details  are  abstracted  away  as  they  are  not  necessary  for  the  purposes  of  this 
dissertation.  Furthermore,  malicious  model  MPC  protocols  are  often  divided  up  into  two 
phases,  preprocessing  and  computation.  Doing  this  allows  the  protocols  to  be  proven  secure 
even  in  the  face  of  malicious  adversaries.  For  the  purposes  of  this  work,  the  description 
below  focuses  on  the  computation  phase. 

Given  a  finite  field,  F,  and  each  x,-  6  F  for  /  =  Let  (5i,...,5„)  <— 

share(x„  seed)  be  a  secret  sharing  function,  which  takes  the  secret  to  be  shared  as  its  first 
input  and  a  random  seed  as  its  second  input.  The  random  seed  is  used  to  generate  the 
random  values  needed  by  the  specific  secret  sharing  function.  The  outputs,  Si,...,Sn  6  F, 
form  the  n  shares  of  the  secret.  Each  party  p,  uses  share  to  generate  n  shares  of  their  input 
Xi-  Associated  with  the  function  share  is  a  threshold  t  which  determines  the  number  of 
shares  needed  to  reconstruct  the  input.  Each  other  party  receives  one  of  the  shares  over  a 
secure  channel.  The  most  common  choices  for  implementing  share  in  the  MPC  literature 
are  Shamir  secret  sharing  [42]  and  additive  secret  sharing.  Additive  secret  sharing  relaxes 
share  by  requiring  a  cyclic  group,  instead  of  a  finite  field. 

After  all  inputs  are  shared  among  the  parties,  they  represent  the  function  /  as  an 
arithmetic  circuit  with  addition  and  multiplication  gates.  They  use  functions  add  and  mult 
to  evaluate  addition  and  multiplication  gates  of  the  arithmetic  circuit.  Eor  example,  say 
the  parties  hold  shares  of  a  and  b  (called  a,  and  bd  and  want  to  compute  c  =  a  +  b  (resp., 
c  =  a  •  b),  they  each  call  c,-  =  add(a,,(?0  (resp.,  c,-  =  mult(a, ■,(?;))  to  compute  a  share 
c,  of  c.  Pull  details  of  the  operation  of  these  functions  can  be  found  in  [10,  11,  43],  for 
example,  for  details  on  how  the  functions  add  and  mult  can  be  constructed  both  in  the 
honest-but-curious  and  malicious  models. 
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Embedded  within  the  circuit  description  are  the  identities  of  the  parties  authorized  to 
learn  the  output(s)  of  the  function.  At  the  end  of  the  computation  of  the  circuit,  the  parties 
send  the  appropriate  shares  of  the  output(s)  to  the  party  or  parties  authorized  to  learn  a 
given  output.  The  authorized  parties  run  the  function  recombine  which  takes  n  shares  of 
the  output  value  (only  t  +  \  shares  are  necessary,  but  the  adversary  models  associated  with 
MFC  assumes  all  n  are  available)  and  returns  the  output  value.  Many  malicious  model 
MFC  protocols  also  include  a  preprocessing  phase  where  the  parties  generate  helper  data 
to  increase  security  of  the  computation  of  share,  recombine,  add,  or  mult.  The  helper 
data  should  not  depend  on  the  inputs  or  the  function  to  be  computed  (beyond  minimal 
information  such  as  the  number  of  multiplication  gates).  Freprocessing  is  discussed  in 
more  detail  in  Chapter  4. 

2.4  Secret  Share  Redistribution 

The  main  idea  of  secret  share  redistribution  is  that  a  certain  number  of  parties 
receive  shares  of  a  secret.  Say  they  wish  to  redistribute  their  shares  to  a  new  (potentially 
overlapping)  set  of  parties  that  may  have  a  different  reconstruction  threshold  without 
reconstructing  the  original  secret.  Secret  share  redistribution  protocols  aim  at  solving  this 
problem. 

The  simplest  redistribution  protocol  is  very  similar  to  the  multiplication  protocol 
already  used  by  MFC  and  was  proposed  by  Desmedt  et  al.  [44]  It  is  secure  in  the  honest-but- 
curious  model  and  works  by  having  each  party  share  their  share  with  the  new  parties  (i.e., 
they  create  subshares).  This  will  work  for  any  linear  secret  sharing  method  such  as  Shamir 
or  additive  secret  sharing.  A  number  of  malicious  model  redistribution  protocols  have  been 
proposed  (e.g.,  [45]  and  subsequent  works).  Unfortunately,  these  will  not  work  for  for 
malicious  model  T-MFC  as  they  do  not  provide  semantic  security.  Therefore  Chapter  3 
presents  a  new  malicious  model  redistribution  protocol. 
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2.5  Universally  Composable  Security  Framework 

Proving  the  security  of  protocols  can  be  a  difficult  process.  One  technique  that  has 
been  used  in  many  areas  of  cryptography,  and  in  particular,  in  multiparty  computation,  is 
the  universally  composable  security  (UC)  framework  due  to  Ran  Canetti  [46].  This  section 
reviews  basics  of  the  framework  and  describes  how  to  prove  security  in  it.  For  further 
details  the  UC  Framework,  see  Canetti’s  work  cited  above  and  Sections  1.3  and  3.4  of  [47]. 
The  description  here  focuses  primarily  on  privacy  concerns  in  multiparty  computation. 

The  basic  setup  of  the  UC  framework  begins  with  two  worlds,  the  ideal  world  and  the 
real  world,  and  a  number  of  parties  pi, . . .  ,p„.  In  the  ideal  world,  an  ideal  functionality 
T  is  used  that  is  secure  by  definition  (often  using  a  trusted  third  party).  In  the  real  world, 
a  protocol  n  which  realizes  the  ideal  functionality  is  run.  The  goal  is  to  show  that  n  is  as 
secure  as  T .  In  each  world  there  is  an  entity  called  the  environment,  denoted  Z.-  In  each 
world,  there  is  an  additional  party,  the  adversary  in  the  real  world  and  a  simulator  S  in 
the  ideal  world.  These  parties  communicate  their  views  of  their  respective  worlds  back  to 
To  keep  the  setup  as  generic  as  possible,  let  ^  provide  the  inputs  to  the  parties.  This 
setup  is  shown  in  Figure  2.1. 


(a)  Ideal  World.  (b)  Real  World. 

Figure  2.1:  Basic  universally  composable  security  framework  setup. 
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Cannetti  proves  two  fundamental  theorems  behind  the  UC  security  framework.  The 
UC  security  theorem  says  that  if  Z.  cannot  distinguish  between  the  two  worlds,  then  the 
protocol  TT,  run  in  the  real  world,  is  as  secure  as  the  ideal  functionally  (which  was  secure  by 
definition).  Below  is  a  description  of  how  to  do  this,  focusing  on  privacy  concerns.  Note, 
however,  that  the  UC  framework  does  not  only  apply  to  privacy.  The  description  below  is 
adapted  from  the  description  of  Cramer  et  al.  in  [48]. 

In  the  real  world,  the  execution  of  n  leaks  information  to  who  in  turn,  shares 
his  view  of  the  world  with  Z-  Let  Zn  be  the  information  leaked  during  execution  of  tt, 
which  forms  J?l’s  view  of  the  world.  In  the  ideal  world,  let  T  leak  only  very  specific 
information  to  S,  information  that  can  readily  be  shown  to  not  violate  any  party’s  privacy. 
Call  this  information  Xr-  The  job  of  S  is  to  use  Zf  to  generate  Zn-  If  S  can  do  this,  since 
Zn  is  generated  from  Z<r^  it  contains  no  more  information  (from  an  information  theoretic 
prospective)  than  Z<r-  Since  Z<r,  by  definition,  does  not  violate  anyone’s  privacy,  Zn  also 
does  not  violate  anyone’s  privacy.  Therefore,  tt  does  not  violate  anyone’s  privacy.  Note  that 
in  practice,  no  two  runs  of  n  will  result  in  identical  Zn  sets.  Similarly,  the  Zn  generated  by 
S  will  not  be  identical  to  a  specific  Zn  from  the  real  world.  Therefore,  instead  of  requiring 
equivalence,  it  must  be  shown  that  the  Zn  generated  by  S  be  indistinguishible  from  the 
leaked  information  sets  coming  from  the  real  world. 

The  second  theorem  of  Canetti’s  work,  the  composability  theorem,  states  that  UC- 
secure  protocols  can  be  composed  with  each  other  and  themselves  in  arbitrary,  even 
adversary  controlled,  ways  and  the  resulting  composition  remains  secure.  The  result 
of  this  second  theorem  is  a  complex  protocol  can  be  decomposed  into  many  smaller, 
subprotocols.  The  security  of  the  the  subprotocols  is  proven  using  the  first  theorem.  Finally, 
the  composition  is  proven  secure  using  the  second  theorem.  The  security  proofs  of  the  T- 
MPC  constructions  in  Chapter  3  utilize  both  of  the  theorems  described  above. 
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III.  Transferable  Multiparty  Computation 


Existing  methods  for  privacy-preserving  computation  using  both  homomorphic 
encryption  and  secure  multiparty  computation  (MFC)  have  issues  that  are  described  in 
Chapter  4,  when  applied  to  the  applications  studied  in  this  dissertation.  This  chapter 
proposes  a  new  paradigm  for  privacy  preserving  computation  that  builds  upon  MFC  to 
enable  both  computations  that  are  more  efficient  and  advanced  functionality  not  previously 
available.  The  protocols  are  not  tied  to  specific  applications,  however,  and  are  more 
generally  useful.  The  key  observation  behind  the  protocols  is  that  prior  work  has 
assumed  a  static  set  of  computation  parties.  The  protocols  presented  here  remove  this 
limitation,  which  creates  numerous  benefits.  The  paradigm  is  called  transferable  multiparty 
computation  (T-MFC),  and  this  chapter  gives  an  overview  of  T-MFC  as  well  as  protocol 
constructions  and  security  proofs  in  both  the  honest-but-curious  model  and  the  malicious 
model. 

3.1  Overview 

MFC  allows  a  static  set  of  parties  to  compute  some  function  of  their  private  inputs 
without  revealing  the  inputs.  T-MFC  relaxes  the  restriction  of  having  a  static  set  of  parties. 
While  this  relaxation  might  seem  simplistic  on  the  surface,  constructing  T-MFC  protocols  is 
non-trivial  and  offers  numerous  benefits,  which  are  described  in  Chapter  4.  For  simplicity, 
the  description  below  depicts  T-MFC  as  having  two  sets  of  parties  Pi  and  P2  (which  may 
or  may  not  overlap  and  can  have  different  sizes).  T-MFC  can  support  any  number  of  sets 
of  parties. 

Let  |Fi|  =  n'  and  IF2I  =  n.  The  protocol  descriptions  also  assume  that  one  set, 
namely  P2,  is  performing  a  computation  and  transfers  that  computation  to  the  other  set, 
namely  Pi.  This  is  solely  for  simplicity  as  T-MFC  allows  for  more  generic  constructions. 
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Any  number  of  sets  can  be  performing  multiparty  computations  (possibly  in  parallel)  and 
can  transfer  their  computation  to  any  other  set  (or  possibly  many  other  sets).  Therefore, 
while  the  present  description  of  T-MPC  is  out  of  necessity  simplified,  the  application 
of  T-MPC  can  vary  greatly.  In  the  honest-but-curious  case  assume  that  less  than  r^/2] 
{\n'  I2\  respectively)  parties  are  corrupt  as  this  is  the  theoretical  maximum  for  information 
theoretic  MPC  protocols.  For  the  malicious  case  the  theoretic  maximum  is  {\n' I3\ 
respectively). 

T-MPC  builds  upon  the  description  of  MPC  from  Section  2.3.  T-MPC  begins  with  the 
functions  share,  recombine,  add,  and  mult.  T-MPC  adds  a  signaling  mechanism  called 
trigger.  This  mechanism  interrupts  an  ongoing  multiparty  computation  running  among 
parties  of  P2  and  forces  a  transfer  of  the  computation  to  the  parties  of  Pi.  The  trigger 
mechanism  can  be  configured  to  run,  for  example,  periodically,  upon  certain  events  (e.g., 
failure  of  a  party),  inserted  manually  into  the  arithmetic  circuit,  etc.  Chapter  4  describes 
two  specific  trigger  functions  for  two  applications  in  more  detail. 

T-MPC  adds  two  additional  functions,  transfer  and  recombine  transfer,  transfer 
takes  the  share  of  the  input  to  be  transferred  as  the  first  input  and  a  random  seed  as  the 
second  input.  It  outputs  n'  subshares  of  the  input,  recombine  .transfer  takes  n'  subshares 
as  its  input  and  outputs  a  new  share  to  be  used  in  private  computations.  These  two 
functions  exploit  a  redistribution  property  of  linear  secret  sharing  schemes  which  allows 
an  authorized  subset  of  parties  holding  shares  of  a  secret  value,  say  s,  to  redistribute  5  to  a 
new  set  of  parties  without  revealing  s  [44].  In  particular,  for  T-MPC,  the  parties  in  P2  run 
transfer  to  generate  subshares  for  parties  in  Pi  of  every  value  needed  for  Pi  to  continue 
the  multiparty  computation.  Parties  in  Pi  use  recombine  transfer  to  compute  new  shares 
of  these  values.  T-MPC  is  constructed  using  all  of  the  functions  specified  above  as  shown 
in  Figure  3.1.  Section  3.2  presents  details  for  these  functions  under  the  HbC  model,  and 
Section  3.3  presents  the  detailed  functions  in  the  malicious  model. 
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Figure  3.1:  T-MPC  state  diagram. 


3.2  Honest-but-Curious  Realization 

The  basie  functions  of  MFC  (i.e.,  share,  recombine,  add  and  mult)  used  by  HbC 
T-MPC  are  due  to  Ben-Or  et  al.  [11].  share  and  recombine  are  both  handled  using  Shamir 
secret  sharing.  Briefly,  to  generate  shares  Si  of  s  such  that  any  subgroup  of  t  -l-  1  out  of  the 

n  parties  can  reconstruct  5,  construct  the  polynomial  cr{x)  =  s  +  rix  +  r2X^  + - h  VfX^  in  the 

finite  field  where  the  coefficients  Vj  are  chosen  randomly  from  the  field.  The  share  5,  =  cr{i) 
is  sent  to  party  i.  Any  subgroup  of  at  least  t  +  \  parties  can  reconstruct  s  by  exchanging 
their  shares  with  one  another  and  using  Lagrangian  interpolation  to  compute  cr(0)  =  s. 
To  compute  add  on  two  secret  inputs,  say  5  and  s',  each  party  simply  adds  their  shares 
of  the  inputs.  No  communication  is  required  at  all  because  of  the  linearity  of  the  secret 
sharing  method.  To  compute  mult  on  two  secret  inputs  s  and  s' ,  each  party  p,  computes 
m[  =  Si  ■  s',  then  uses  Shamir  secret  sharing  to  create  subshares  of  m[,  distributes  a  subshare 
to  each  of  the  other  parties.  Party  p,  then  uses  Lagrangian  interpolation  on  the  subshares 
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they  receive  from  the  other  parties  to  compute  m,  which  turns  out  to  be  a  valid  sharing  of 
m  =  s  ■  s'.  These  functions  are  combined  together  into  a  single  honest-but-curious  MFC 

protocol  Knipc^. 

The  new  functions,  transfer  and  recombine  .transfer,  T-MPC  are  fairly  simple  in  the 
honest-but-curious  model.  Together  these  form  the  honest-but-curious  transfer  protocol 
TTTf^.  Assume  that  upon  a  trigger  event,  parties  in  P2  must  transfer  the  input  value  s  to 
parties  in  P^.  The  redistribution  function  needed  for  transfer  and  recombine  transfer 
works  almost  exactly  like  the  multiplication  protocol  just  described.  Each  party  pj  6  P2 
with  share  Sj  of  s,  computes  n'  subshares  of  Sj  using  Shamir  secret  sharing  with  threshold 
t'  and  sends  subshare  sji  to  party  p,  6  P^.  Party  p„  after  collecting  all  subshares,  computes 
recombine.transfer  by  running  Lagrangian  interpolation  on  the  subshares  to  compute  the 
new  share  5,  of  5.  This  process  is  described  in  Figure  3.2. 


Protocol 

Given:  P\,P2  Q  P  where  each  pj  6  P2  holds  a  share  Sj  of  5,  and  |Pi|  =  n' ,  IP2I  =  n 
and  t'  =  l(n' / 2)  and  t  =  I(n/2)  respectively  (where  I  is  the  integer  just  larger  than  the 
parameter). 

transfer:  Upon  a  trigger  event 

1.  Each  Pj  generates  subshares  s\j, . . . ,  s^j  of  Sj  using  Shamir  secret  sharing  with  a 
threshold  of  t'  and  a  random  polynomial  with  coefficients  {sj,  rji,rj2, . . . ,  rjf-i). 

2.  Each  Pj  sends  the  subshare  sij  to  party  p,  6  Pi  over  the  private  channel. 

recombine  transfer 

1.  Each  Pi  6  Pi  receives  n  subshares  Sij. 

2.  Pi  then  uses  Eagrangian  Interpolation  to  recover  their  new  share  Si 


Figure  3.2:  Honest-but-curious  transfer  and  recombine  transfer  functions. 


23 


3.2.1  Correctness  and  Complexity. 

Security  and  correctness  proofs  for  the  transfer  protocol  for  redistributing  secret 
shares  from  Pj  to  Pi  follow  easily  from  [44].  That  work  guarantees  that,  first,  subsets 
of  participants  in  P,  up  to  size  have  no  information  about  the  secret.  Second,  as  long  as 
at  least  tj  parties  of  Pj  erase  their  information  about  s  (both  their  original  shares  and  the 
subshares  they  created),  then  s  can  only  be  recovered  by  parties  in  Pi.  This  is  guranteed  due 
to  the  assumed  threshold  of  corrupt  parties.  Finally,  subsets  of  parties  in  F,  and  Pj  cannot 
collude  to  gain  extra  information  about  s  as  long  as  their  sizes  are  no  bigger  than  ti  and  tj 
respectively. 

Since  generating  shares  and  recombining  shares  using  interpolation  can  be  done  in 
parallel  by  all  parties,  these  methods  are  quite  efficient.  Straightforward  algorithms  for 
generating  the  shares  (polynomial  evaluation)  and  recombining  (Lagrange  interpolation) 
are  quadratic,  but  there  exist  0(n\og^  n)  algorithms  for  each  [49].  Even  the  quadratic 
algorithms  would  be  sufficiently  fast  for  most  applications.  As  the  nj  parties  must 
communicate  each  of  their  n,-  shares,  the  communication  complexity  is  OinjUi)  (assuming 
only  one  communication  channel).  Since  really  only  the  threshold  t  needs  to  be  satisfied, 
the  computation  and  communication  requirements  can  be  made  even  more  efficient  in 
practice. 

3.2.2  Security. 

It  seems  to  make  sense  that  the  T-MPC  protocol  suggested  above  is  secure  as  long  as 
the  chosen  MFC  protocol  is  secure.  This  would  seemingly  follow  from  the  fact  that  the 
transfer  protocol  itself  is  secure.  A  more  rigorous  approach  to  proving  the  security  of  the 
proposed  protocol  is  needed.  This  is  achieved  by  using  the  Universal  Composability  (UC) 
framework. 

The  UC  framework  provides  an  elegant  approach  for  proving  the  security  of  the  T- 
MPC  protocol  as  there  already  exist  UC-secure  MFC  protocols.  Therefore,  proving  security 
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of  the  T-MPC  protocol  requires  proving  the  UC-security  of  the  transfer  protocol  as  the  T- 
MPC  protocol  is  the  composition  of  an  MPC  protocol  and  the  transfer  protocol.  Since  two 
UC-secure  protocols  can  be  composed  in  arbitrary  ways  and  still  be  UC-secure,  the  security 
of  the  T-MPC  protocol  follows  directly  from  the  composition  theorem.  Following  the  UC 
framework,  descriptions  for  the  ideal  functionality  and  details  on  how  Z.  cannot  distinguish 
between  the  two  worlds  is  presented  below. 


Ideal  Functionality: 

1.  Each  party  in  P j  sends  its  share  of  5  (i.e.,  to  T . 

2.  T  uses  the  shares  to  reconstruct  5  and  generates  new  shares  of  5,  say  s\,  with 
threshold  n,72. 

3.  For  each  corrupt  party  pj  e  Py,  T  sends  Sj  to  S. 

4.  For  each  corrupt  party  pi  6  P,,  T  sends  s\  to  S. 

5.  T  sends  the  share  s\  to  p,  6  P,. 

Security  Proof:  The  ideal  functionality  just  described  is  very  simple  and  clearly 
secure  by  definition  as  T  acts  as  a  trusted  third  party.  Furthermore,  due  to  the  assumed 
threshold  of  corrupt  parties,  the  shares  that  T  leaks  to  S  do  not  violate  anyone’s  privacy. 
These  shares  form  the  set  Xr-  To  prove  security  of  the  real  world  protocol,  the  S  and  T 
interact  to  make  the  ideal  world  indistinguishable  from  the  real  world. 

Theorem  1.  The  environment  Z  cannot  distingiush  between  the  real  world  and  the  ideal 
world. 

Proof.  In  the  real  world,  X’s  view  consists  of  information  learned  by  This  includes:  1) 
shares  held  by  corrupt  parties  in  Py,  2)  new  shares  held  by  corrupt  parties  in  P,,  3)  subshares 
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generated  by  corrupt  parties  in  Pj,  and  4)  subshares  sent  to  corrupt  parties  in  P,.  These  four 
pieces  form  the  set  In  other  words,  let  Cj  be  the  set  of  corrupt  parties  in  Pj  and  C;  be 
the  set  of  corrupt  parties  in  Pt,  then  :  j  e  Cj],  {s'-  :  i  6  C,},  {sji  :  i  e  1, 7  6 

Cj},{sji  :  i  6  Ci,j  6 

Notice  that  Xr  is  basically  the  first  two  items.  In  other  words,  Xr  =  {{■^7  ^  j  ^  Cj],  {s'-  : 
i  6  C,}}.  So,  S  must  compute  the  third  and  fourth  items  using  only  what  is  in  Xr  and  do 
so  in  a  manner  which  makes  the  resulting  set  indistinguishable  from  X;r  in  the  real  world. 
Using  the  shares  of  corrupt  parties  in  Pj,  S  can  simply  create  subshares  of  these  to  form 
number  3  from  above. 

Number  4  is  a  litte  more  difficult  to  simulate  as  each  corrupt  party  in  P/  will  receive 
a  subshare  from  each  corrupt  party  in  Pj.  In  other  words,  some  of  the  subshares  that  S 
just  generated  to  satisfy  number  3  have  to  be  used  directly  to  satisfy  number  4.  For  the 
remaining  subshares  needed  to  satisfy  number  4,  simple  random  values  cannot  be  used  as 
the  interpolated  polynomial  would  likely  not  have  the  correct  degree.  The  degree  of  the 
polynomial,  t,,  is  Ln,72J.  Let  c  be  the  number  of  corrupt  parties  in  Pj.  Therefore,  for  each 
corrupt  party  p,  e  Pi,  the  simulator  already  has  c  shares  to  satisfy  number  4.  S  sets  a  zeroth 
share  to  be  the  new  share  for  p,  that  comes  from  number  2  above.  It  then  picks  n,/2  -  c 
other  shares  at  random.  Using  these  shares,  Lagrangian  interpolation  returns  the  sharing 
polynomial  cr.  If  cr  has  degree  ti,  the  simulator’s  job  is  done.  The  other  option  is  that  cr  has 
degree  less  than  ti,  this  is  not  likely  to  occur  due  to  the  randomly  chosen  shares,  but  if  it 
does,  the  process  is  repeated  with  new  random  shares.  Once  a  cr  with  degree  ti  is  found,  ~, 
generates  the  remaining  shares  for  each  corrupt  party  in  F,  to  satisfy  number  4. 

If  the  set  Xff  that  the  simulator  just  generated  is  statistically  indistinguishable  from 
the  Xff  that  results  from  executing  n  from  the  point  of  view  of  X,  then  the  protocol  is  UC- 
secure.  There  were  basically  four  parts  to  these  sets  described  above.  Indistinguishability 
of  the  first  two  comes  directly  from  the  fact  that  the  adversary  does  not  control  enough 
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parties  to  run  Shamir’s  reconstruction  step.  Therefore,  they  each  contain  no  information 
in  the  information  theoretic  sense.  Indistinguishability  of  the  third  comes  from  the 
fact  that  in  both  worlds,  these  subshares  are  valid  subshares.  Like  generation,  showing 
indistinguishability  of  the  fourth  is  a  little  more  difficult.  In  the  real  world,  the  subshares  in 
number  4  result  in  valid  new  shares  held  by  corrupt  parties  in  Pi.  Recall  though,  that  since 
the  adversary  does  not  control  enough  parties  in  P,  that  the  new  shares  are  random  from 
the  adversary’s  point  of  view.  Given  the  way  the  subshares  in  number  4  are  constructed, 
they  form  valid  subshares  of  the  new  shares  found  in  number  2  and  come  from  a  correct 
degree  polynomial.  Furthermore,  the  subshares  are  random.  Therefore,  they  are  also 
indistinguishable  in  the  two  worlds.  So,  the  protocol  in  Figure  3.2  is  UC-secure.  □ 

3.3  Malicious  Model  Realization 

This  section  presents  the  malicious  model  realizaation  of  T-MPC  which  builds  upon 
the  HbC  realization  presented  in  Section  3.2.  Similar  to  before,  the  malicious  model 
realization  uses  an  MFC  protocol  secure  in  the  malicious  model.  The  malicious  model 
MFC  protocol,  built  with  malicious  model  variants  of  share,  recombine,  add,  and  mult 
used  in  the  T-MPC  protocol  below  comes  from  [50].  This  section  focuses  on  malicious 
model  variants  of  transfer  and  recombine.transfer  and  constructs  a  single  protocol 
from  these  two. 

The  malicious  model  transfer  protocol  works  as  follows.  For  transfer,  each  party  in  P2 
shares  their  share  of  s  with  the  parties  in  Pi .  recombine.transfer  exploits  an  observation 
due  to  McEliece  and  Sarwate.  Since  fewer  than  a  third  of  the  parties  are  corrupt,  Shamir 
secret  sharing  reconstruction  can  be  made  robust  using  Reed-Solomon  decoding.  This  is 
because  Shamir  secret  sharing  is  just  a  special  instance  of  Reed-Solomon  coding  [51]. 
Under  normal  circumstances  robustness  is  not  enough  for  malicious  model  MPC  as  it 
assumes  that  the  dealer  is  honest,  but  in  T-MPC,  the  shares  that  a  party  in  Pi  receives 
come  from  each  party  in  P2.  Therefore,  there  is  no  one  single  dealer.  Since  there  are 
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enough  honest  parties  in  P2,  each  p,  6  Pi  receives  enough  honest  shares  to  be  guaranteed 
to  recover  the  correct  new  share.  Figure  3.3  shows  the  details  of  the  protocols. 


Protocol 

Given:  P\,P2Q  P  where  each  pj  6  P2  holds  a  share  sj  of  5,  and  |Pi|  =  n' ,  IP2I  =  n  and 
t'  =  \  n'  I2\  and  t  =  \  nl2\  respectively. 

transfer:  Upon  a  trigger  event 

1.  Each  Pj  generates  subshares  Sij, . . . ,  Sn^  of  Sj  using  Shamir  secret  sharing  with  a 
random  polynomial  with  coefficients  {sj,  rji,rj2, rjf-i). 

2.  Each  Pj  sends  the  subshare  to  party  p,  e  Pi  over  the  private  channel. 

recombine  transfer 

1.  Each  Pi  6  Pi  receives  n  subshares  Sij. 

2.  Pi  uses  a  Reed-Solomon  decoder  on  the  subshares  to  recover  5,. 

Eor  a  small  number  of  parties,  a  simple  bruteforce  RS  decoder  is  faster  than  more 
sophisticated  decoders.  Eor  this  decoder  each  subgroup  of  shares  of  size  t  is  run 
through  the  regular  Eagrangian  interpolation  algorithm  to  get  a  putative  secret.  The 
putative  secret  that  occurs  most  often  is  chosen  as  the  secret.  Due  to  the  number  of 
corrupt  parties  and  the  threshold  used  for  sharing  this  will  be  the  correct  secret  with 
overwhelming  probability  [51]. 


Eigure  3.3:  Malicious  transfer  and  recombine  Transfer  functions. 


3.3.1  Complexity. 

The  complexity  of  the  malicious  model  T-MPC  functions  transfer  and  recombine  transfer 
changes  in  comparison  with  the  HbC  functions  due  to  the  fact  that  a  Reed-Solomon  decoder 
is  used  to  ensure  robustness.  Past  0{n  log^  n)  as  well  as  straight  forward  0{n^)  decoders 
exist  [51].  Eor  small  sets  of  parties,  a  brute-force,  0{n\)  decoder  is  faster.  The  brute-force 
decoder  is  described  in  Eigure  3.3. 
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3.3.2  Security. 

Security  of  the  malicious  model  T-MPC  functions  is  proven  using  the  same  paradigm 
that  was  used  in  the  HbC  case.  The  setup  in  this  case,  however,  is  more  complex  because 
corrupt  parties  can  deviate  from  the  protocol  specification.  A  common  technique  for 
handling  this  is  to  let  the  simulator  S  run  a  (black  box)  copy  of  the  adversary’s  code  3\.  The 
ideal  functionality  is  shown  below.  Following  the  ideal  functionality,  a  high-level  overview 
of  the  security  proof  is  given.  The  details  of  the  proof  follow  directly  from  the  techniques 
used  in  the  HbC  proof. 


Ideal  Functionality: 

1 .  The  honest  parties  in  P j  send  their  shares  to  T . 

2.  T  uses  the  shares  to  generate  the  shares  of  corrupt  parties  in  P j  and  sends  these 
generated  shares  to  S. 

3.  T  creates  subshares  for  each  of  the  honest  parties’  shares  and  sends  any  of  these 
which  would  be  delivered  to  corrupt  parties  in  F,  to  S. 

4.  T  receives  subshares  for  the  corrupt  parties  in  Pj  from  S  and  verifies  these 
subshares  by  checking  the  degree  of  the  polynomial  and  the  constant  term  of 
the  polynomial  from  which  they  came. 

5.  T  uses  the  valid  subshares  to  generate  the  new  shares,  {s'i}"Lq,  and  sends  s',  to 
Pi  6  Pi.  It  also  sends  s',  to  S  for  each  corrupt  p,. 


Security  Proof:  Recall  that  security  is  shown  in  the  UC  framework  by  specifying  how 
S  interacts  with  Z,  to  make  the  real  and  ideal  worlds  indistinguishable.  The  set  from  the 
real  world  is  the  same  as  in  the  HbC  case.  Recall  that  this  set  has  four  parts  to  it.  The  set 
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Lr  is  also  the  same  as  it  was  before  and  has  only  two  parts  to  it.  The  simulator  generates 
the  ideal  world  view  of  using  Xr  in  the  same  manner  as  above  with  the  exception 
of  allowing  J{.  to  choose  the  subshares  of  part  3.  Some  of  these  (potentially  corrupted) 
subshares  are  used  in  part  4.  To  generate  the  remainder  of  part  4,  S  follows  a  process 
similar  to  what  was  done  in  the  HbC  model,  but  ignores  any  subshares  that  J{.  corrupted. 

Indistinguishability  between  the  two  worlds  changes  only  slightly  in  the  malicious 
case.  Recall  that  X’s  view  in  both  worlds  is  defined  by  which  consists  of  the  four  parts 
presented  earlier.  The  first  part  is  the  same  as  in  the  HbC  model,  so  indistinguishability 
follows  from  that  previous  discussion.  Thanks  to  the  robust  reconstruction  done  in 
the  malicious  model,  the  second  part  is  also  the  same  as  in  the  HbC  case,  so  again, 
indistinguishability  follows  from  that  discussion.  The  subshares  generated  by  corrupt 
parties  in  Pj,  which  form  the  third  part  of  are,  in  both  worlds,  generated  by  who 
is  the  same  in  both  worlds,  so  they  are  indistinguishable.  The  fourth  part  consists  of 
subsharings  of  the  second  part,  with  some  of  the  subshares  potentially  corrupted  by 
Since  ^  is  the  same  in  both  worlds,  using  analysis  similar  to  that  done  in  the  HbC  case  for 
part  4,  this  part  is  also  indistinguishable.  Therefore,  since  the  sets  are  indistinguishable 
between  the  two  worlds,  and  the  malicious  transfer  protocol  is  UC  secure. 
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IV.  Applications 


This  chapter  describes  two  application  areas  to  which  T-MPC  is  applied.  The  purpose 
of  this  is  to  highlight  the  benefits  that  are  gained  by  using  T-MPC  over  MPC.  Chapter  1 
briefly  introduced  the  application  areas.  The  scenario  and  setup  for  each  application  is  fully 
defined  in  this  chapter.  Prior  and  related  work  specific  to  each  application  is  also  discussed. 
This  chapter  then  presents  the  application  of  T-MPC  to  the  applications  and  presents  how 
T-MPC  benefits  each. 

4.1  Smart  Grid 

4.1.1  Motivation. 

In  2010,  the  United  States’  Federal  Bureau  of  Investigation  (FBI)  issued  a  report 
on  smart  meter  hacking  which  detailed  how  one  utility  could  to  lose  up  to  $400  million 
annually  due  to  meter  tampering  attacks  [52].  The  report  concludes  that  “this  type  of 
fraud  will  also  spread  because  of  the  ease  of  intrusion  and  the  economic  benefit  to  both 
the  hacker  and  the  electric  customer.”  The  specific  attack  detailed  in  the  report  was  an 
energy  stealing  attack,  or  one  in  which  the  meter  misrepresents  the  consumption,  resulting 
in  a  lower  bill  for  the  user.  Other  published  attacks  on  smart  meters  aim  to  allow  someone 
to  read  consumption  information  off  of  the  meters.  In  one  such  attack,  using  just  $20  in 
hardware,  the  researcher  was  able  to  read  consumption  information  off  all  smart  meters 
within  range  (about  19  meters)  [53].  This  second  attack  is  a  direct  attack  on  privacy  as  one 
could  use  it  to  remotely  learn  another’s  consumption  information.  Published  research  has 
shown  that  consumption  information  can  reveal  very  private  information  such  as  when  a 
home  is  vacant,  what  appliances  are  being  used,  or  whether  or  not  expensive  electronics 
might  be  present  in  the  home  [1,2]. 
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A  number  of  privacy  preserving  data  aggregation  protocols  have  been  proposed  and 
studied  for  application  to  this  problem  (see  [54]  for  an  overview).  Typically  these  protocols 
have  focused  on  spatial  (i.e.,  aggregating  information  from  many  meters  at  one  instance  in 
time)  or  temporal  (i.e.,  aggregating  information  from  one  meter  over  a  period  of  time) 
aggregation  and  have  often  focused  on  computing  only  the  summation  function.  Secure 
multiparty  computation  (MPC)  offers  a  capability  to  compute  any  function  (including 
summation)  while  mitigating  privacy  risks.  Due  to  its  perceived  complexity,  MPC  has 
not  seen  a  lot  of  application  into  smart  meter  networks.  Indeed  many  of  the  public-key 
based  systems  use  additively-homomorphic  ciphers  (e.g.,  [55-59]).  Interestingly  generic 
MPC  protocols  are  actually  more  efficient  than  existing  protocols  that  use  homomorphic 
encryption.  T-MPC  enables  highly  scalable  and  efficient  computations. 

To  better  motivate  the  utility  of  T-MPC,  consider  the  following  scenario.  Let  four 
parties,  called  Alice,  Bob,  Chuck  and  Doug,  are  interested  in  compute  the  sum  of  their 
inputs,  Xa,  Xh,  Xc,  Xd-  Using  traditional  MPC,  if  Doug  is  unavailable,  Alice,  Bob  and  Chuck 
must  wait  until  he  is  available  to  begin  the  computation.  Clearly  this  is  inefficient,  as 
sum(Xa,  Xh,  Xc,  Xd)  =  sum{sum{Xa,  Xb,  Xc),  Xd)  and,  therefore,  Alice,  Bob  and  Chuck  could 
proceed  with  computing  the  sum  of  their  inputs  and,  when  Doug  finally  arrives,  let  him 
join  in  on  the  computation  to  add  his  input  to  get  the  final  result.  There  are  a  number  of 
technical  limitations  to  applying  MPC  in  this  manner  as  traditional  MPC  assumes  a  static 
set  of  computation  parties.  T-MPC  solves  this  problem  by  allowing  partial  computations 
from  one  set  of  parties  (e.g.,  Alice,  Bob  and  Chuck)  to  be  transferred  to  a  new  set  of  parties 
(e.g.,  Alice,  Bob,  Chuck  and  Doug)  without  revealing  intermediate  computation  values. 
The  new  set  could  be  a  superset,  subset  or  completely  independent  of  the  original  set  of 
parties.  This  specific  example  of  T-MPC  generalizes  to  cases  where  /  is  composed  of  other 
functions,  for  example  /  =  g{xi,X2,  X4,  h(x2,  .^3)). 
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Another  example  of  the  utility  of  T-MPC  is  in  optimizing  eertain  computations. 
For  example,  consider  a  very  large  set  of  smart  meters,  say  n  =  1,000,000  and  again 
/  =  sum.  Using  traditional  MFC  directly  for  this  computation  is  very  inefficient  as  all  n 
must  participate  in  all  portions  of  the  computation.  Since  many  standard  MFC  protocols 
rely  on  secret-sharing  inputs,  such  a  computation  would  require  each  party  to  share  its 
input  with  the  n  - I  other  parties.  This  is  very  inefficient  and  becomes  unwieldy  as  n  grows 
larger  and  larger.  One  technique  commonly  used  to  fix  this  inefficiency  is  to  have  the 
parties  share  their  inputs  with  a  small  number  of  computation  servers  instead  of  all  other 
parties.  The  computation  servers  carry  out  the  computation  of  /  on  behalf  of  the  parties. 
This  technique,  however,  presupposes  the  availability  of  such  servers  and  an  infrastructure 
for  communicating  with  these  servers.  In  the  smart  grid,  wireless  sensor  networks,  and 
potentially  many  other  applications,  this  assumption  will  not  necessarily  hold.  T-MFC 
solves  the  problem  for  certain  computations  without  the  additional  assumptions  by  allowing 
small  groups  to  compute  local  results  and  securely  transfer  the  computation.  This  is  best 
illustrated  by  considering  a  tree  structure  as  depicted  in  Figure  4.1. 


Figure  4.1:  Applying  transferable  multiparty  computation  to  a  tree  structured  network. 

Using  T-MFC,  parties  Rl,  R2  and  R3  can  compute  the  sum  of  their  inputs  and  transfer 
the  result  to  Bl,  B2  and  B3  without  revealing  their  individual  inputs  or  the  intermediate 
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sum.  Similarly  Gl,  G2,  G3  and  Yl,  Y2,  Y3  compute  the  sum  of  their  inputs  and  transfer 
the  result  up  the  tree.  When  B 1,  B2  and  B3  receive  input  from  all  of  the  parties  below,  they 
sum  those  values  privately  along  with  their  own  inputs  and  send  the  necessary  information 
to  K1  to  reconstruct  the  result.  More  generically,  siblings  compute  their  portion  of  the 
computation,  combine  it  with  results  from  their  children,  and  transfer  the  computation  to 
the  next  level  up  in  the  tree.  Being  able  to  structure  computations  in  this  fashion  leads  to 
much  more  efficient  computations  while  still  providing  privacy  of  individual  inputs  and 
intermediate  results.  T-MPC  is  orders  of  magnitude  more  efficient  than  simply  using 
existing  MPC  protocols  for  in-network  smart  grid  computations.  For  instance,  for  the 
standard  deviation  function  and  using  a  common  MPC  protocol,  an  example  smart  meter 
network  with  around  700  meters  would  take  approximately  fifteen  minutes  to  complete  the 
computation.  On  the  other  hand,  using  T-MPC,  the  standard  deviation  of  over  a  million 
meter  nodes  takes  just  a  few  seconds  to  compute. 

4.1.2  Experimental  Setup. 

In  studying  the  application  of  T-MPC  to  the  smart  grid,  assume  a  network  organization 
similar  to  that  of  Figure  4.1.  The  analysis  presented  here  loos  at  various  branching  factors 
and  various  numbers  of  nodes.  Assume  that  nodes  can  communicate  directly  with  their 
sibling  nodes,  their  parent  node,  and  their  parent’s  siblings.  Also  assume  that  the  root  node 
of  the  tree  can  communicate  with  any  other  node  in  the  tree  (either  with  a  fully-connected 
network  or  using  routing).  To  simplify  the  analysis,  assume  that  each  level  in  the  tree  is 
complete. 

In  this  section,  T-MPC  is  compared  with  the  honest-but-curious  MPC  protocol 
from  [47].  In  fact,  since  T-MPC  uses  a  generic  MPC  protocol  with  the  transfer  protocol, 
the  HbC  T-MPC  uses  the  MPC  protocol  from  [47].  Note  that  the  protocol  from  [47]  is  UC- 
secure  and  thus  composes  securely  with  the  transfer  protocol.  The  implementation  used  in 
the  experiments  comes  from  the  VIFF  (http://viff.dk)  framework  that  runs  on  Python.  The 


34 


meter  nodes  are  Gumstix  Overo  Earths  with  a  600MHz  processor  and  256MB  of  RAM. 
While  this  is  more  powerful  than  current  smart  meters,  their  performance  may  be  found  in 
future  smart  meters,  possibly  by  using  custom  chips.  The  final  result  of  the  computation 
will  be  reconstructed  by  the  root  of  the  tree.  This  node  is  a  laptop  running  an  Intel  Core 
i5-540M  CPU  and  4GB  of  RAM  in  the  experimentations.  For  communications,  assume  a 
half-duplex,  250kbps  wireless  link  with  a  single  communications  channel. 

4.1.3  Timing. 

To  assist  in  the  analysis  the  operations  necessary  for  HbC  MPC  and  malicious  MPC 
are  timed  on  both  the  Gumstix  and  the  laptop.  As  add  is  a  constant  time  operation,  it  is 
measured  by  the  average  time  to  add  two  shares  in  VIFF.  The  operations  share,  recombine, 
and  mult  take  linear  time  in  the  number  of  parties,  thus,  they  are  estimated  by  calculating 
the  coefficients  of  the  line  by  running  computations  with  various  numbers  of  parties  and 
run  linear  regression  analysis.  Table  4.1  shows  the  computed  values  for  each  operation 
for  the  honest-but-curious  MPC  protocol.  For  the  linear  operations,  the  coefficients  of 
the  line  y  =  C2X  -l-  C\  estimate  the  time  to  compute  each  operation  for  a  given  number  of 
parties.  Malicious  model  timing  was  computed  similarly,  but  the  preprocessing  operation 
genTriple,  which  is  quadratic  and  is  estimated  using  a  quadratic  function  y  =  C2X^+C2X+ci. 
This  information  is  shown  in  Table  4.2.  These  timing  values  assist  in  computing  the  timing 
for  the  additional  T-MPC  operations  transfer  and  recombine  transfer  as  both  operations 
are  composed  of  the  operations  already  specified.  The  time  to  run  transfer  in  both  models 
is  simply  the  time  to  run  share  in  the  respective  model.  For  HbC  T-MPC,  the  time  to  run 
recombine  transfer  is  simply  the  time  to  run  recombine,  while  for  malicious  T-MPC  the 
Reed-Solomon  decoder  is  used,  which,  for  small  numbers  of  parties,  the  fastest  method  is 
brute  force,  which  has  factorial  complexity. 
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Table  4.1:  Timing  estimation  for  HbC  MFC. 


share 

recombine 

add 

mult 

Meter 

Sink 

C2  Cl 

1.178  -1.019 
0.043  -0.036 

C2  Cl 

0.056  0.289 
0.003  0.01 

Cl 

0.07 

0.002 

C2  Cl 

1.234  -0.66 

0.049  -0.026 

Table  4.2:  Timing  estimation  for  malicious  MFC. 


genTriple 

share 

recombine 

add 

mult 

Meter 

Sink 

C3  C2  Cl 

0.141  4.879  -3.209 
0.002  0.181  -0.114 

C2  Cl 

1.178  -1.019 
0.043  -0.036 

C2  Cl 

0.056  0.289 
0.003  0.01 

Cl 

0.07 

0.002 

C2  Cl 

0.112  0.58 
0.006  0.02 

4.1.4  Analysis. 

The  analysis  in  this  section  uses  the  timing  values  from  Tables  4.1  and  4.2  to  compute 
the  total  time  to  execute  two  functions  of  interest,  namely,  summation  and  standard 
deviation.  To  avoid  division  and  square  roots  in  the  computation  of  the  standard  deviation 
,  the  parties  compute  only  the  numerator  (it  is  assumed  that  the  root  of  the 
tree  knows  n).  Note  that  this  leaks  no  additional  information  when  compared  to  computing 
the  standard  deviation  in  its  entirety. 

T-MFC  allows  for  parallelizing  in-grid  computations  using  the  tree  structure  previ¬ 
ously  described.  This  results  in  a  significant  optimization  of  both  the  sum  and  standard 
deviation.  Figure  4.2  shows  the  time  to  execute  each  computation  for  a  fixed  network  tree 
branching  factor  (i.e.,  the  number  of  children  that  each  node  has)  of  10.  The  benefit  of 
T-MFC  is  clear.  Using  the  MFC  protocol,  one  can  compute  the  sum  and  standard  devia¬ 
tions  in  less  than  fifteen  minutes  as  long  as  there  are  fewer  than  2647  and  777  meter  nodes, 
respectively.  Compare  this  with  T-MFC,  however,  where  even  at  10^  meter  nodes,  it  takes 
well  under  under  the  fifteen  minute  mark  to  run  the  computation.  In  fact,  the  protocol  ex¬ 
ecution  time  with  this  large  of  a  network  takes  less  than  2  seconds  for  both  the  sum  and 
the  standard  deviation.  Thus,  T-MFC  greatly  enhances  the  scalability  of  the  network.  Fur- 
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thermore,  this  increased  sealability  allows  for  more  fine-grained  information  reporting  in 
reasonably  sized  networks.  This  is  very  signifieant  as  prior,  speeialized  summation  proto- 
eols  whieh  use  homomorphie  eneryption  ean  only  support  networks  up  to  50  nodes  at  an 
information  reporting  granularity  of  60  seeonds  [39] . 


MPC  vs.  T  MPC  in  HbC  Model 


Figure  4.2:  MPC  vs.  T-MPC  (tree  branehing  faetor  of  10),  Honest-but-Curious  Model. 


The  eomparison  between  MPC  and  T-MPC  used  a  branehing  faetor  of  10  in  the 
eonstruetion  of  the  tree.  The  branehing  faetor  determines  a  number  of  items  ineluding 
the  number  of  shares  used  when  seeret  sharing  inputs,  the  depth  of  the  tree,  amount  of 
parallelism,  to  name  a  few.  Figure  4.3  plots  the  time  to  exeeute  T-MPC  for  both  sum  and 
standard  deviation  with  various  branehing  faetors.  From  the  figure,  note  that  branehing 
faetor  does  play  some  role  into  the  effieieney  of  the  protoeol.  The  differenees  are  fairly 
minor  however.  As  the  branehing  faetor  approaehes  n  (the  total  number  of  meter  nodes), 
however,  T-MPC  in  this  ease  beeomes  equivalent  to  the  underlying  MPC  protoeol.  There 
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is  another  underlying  aspeet  to  the  branehing  faetor.  For  a  subset  of  parties  F,  of  size  n, 
there  are  U  <  nijl  adversary-eontrolled  parties  due  to  the  underlying  MFC  protoeol.  In 
the  ease  of  a  tree  struetured  network  n,  =  BF.  Therefore,  for  BF  =  3  there  ean  only  be 
one  eorrupted  party  in  eaeh  subset  but  for  BF  =11  the  T-MPC  protoeol  eould  handle  up 
to  five  eorrupted  parties.  Understanding  the  implieations  of  this  is  espeeially  important  in 
real-world  deployments. 


HbC  T-MPC  with  various  Branching  Factors 


Figure  4.3:  Various  branehing  faetors  (BF)  for  Transferable  Multiparty  Computation, 
Honest-but-Curious  Model. 


The  results  of  the  malieious  model  experiments  are  very  similar  in  that  T-MPC  in  the 
malieious  model  is  far  more  efSeient  than  MPC.  Figure  4.4  shows  the  eomparison  between 
T-MPC  and  MPC  while  Figure  4.5  shows  how  the  branehing  faetor  affeets  exeeution  time. 
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MPC  vs.  T-MPC  in  Malicious  Model 


Number  of  Meter  Nodes 


Figure  4.4:  MPC  vs  T-MPC  (tree  branehing  faetor  of  10),  Malieious  Model. 


4.2  Decentralized  Reputation  Systems 

4.2.1  Motivation. 

Reputation  in  another  party  is  a  measure  of  eonfidenee  that  that  party  will  conform 
to  a  certain  behavior  or  perform  a  certain  action.  For  example,  consider  a  mobile  ad-hoc 
network  (MANET)  in  which  a  party’s  neighbors  are  used  to  route  messages.  A  party  might 
build  up  reputation  information  on  his  neighbors  by  observing  whether  or  not  they  forward 
messages  he  sends  to  them.  As  new  parties  join  the  network,  however,  they  will  have 
no  reputation  information  on  others  in  the  network.  A  reputation  system  can  be  used  to 
help  bootstrap  this  information.  In  a  typical  reputation  system,  a  party  can  ask  others  for 
their  reputation  scores  on  a  particular  party,  and  then  use,  for  example,  the  average  of  the 
responses  to  bootstrap  their  own  reputation  information. 

Many  online  marketplaces  have  reputation  systems  built  in.  They  allow  users  to 
provide  feedback  (or  ratings)  on  products  and  vendors.  The  aggregate  of  this  feedback 
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Malicious  T-MPC  with  various  Branching  Factors 


Number  of  Meter  Nodes 


Figure  4.5:  Various  branching  factors  (BF)  for  Transferable  Multiparty  Computation, 
Malicious  Model. 


information  is  displayed  to  customers  in  order  to  help  them  make  choices  about  what 
product  to  purchase  or  from  whom  to  purchase  the  product.  These  are  examples  of 
centralized  reputation  systems.  These  reputation  systems  can  function  because  the  market 
operator  (e.g.,  Amazon  or  eBay)  is  at  least  somewhat  trusted  by  both  vendors  and 
consumers.  Indeed,  it  is  in  the  market  operator’s  best  interest  to  provide  honest  feedback 
to  customers. 

In  many  scenarios,  however,  such  a  trusted  party  does  not  exist.  This  includes  peer- 
to-peer  systems,  MANETs,  and  others.  For  this  reason,  decentralized  reputation  systems 
(DRS)  exist.  Example  systems  can  be  found  in  [60-63],  which  are  applied  to  both  peer-to- 
peer  systems  and  MANETs.  These  systems  are  more  ad-hoc  in  nature.  In  these  systems, 
a  party  pq,  called  the  querying  party,  would  like  to  interact  with  another  party  pt,  called 
the  target  party,  but  pq  has  no  reputation  information  on  p,.  Therefore,  Pq  forms  a  set  of 
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parties,  U  and  asks  each  party  in  U  to  provide  their  reputation  information  on  p,.  Pq  then 
averages  these  and  stores  the  result.  The  result  is  used  to  help  pq  know  whether  or  not  to 
interact  with  Pf 

Recently,  researchers  have  become  concerned  about  privacy  issues  in  DRS.  In 
particular,  if  privacy  of  reputation  information  is  not  maintained,  parties  providing 
reputation  information  to  a  query  could  be  subject  to  retaliation,  retribution,  or  attack. 
Therefore,  it  may  be  in  a  party’s  best  interest  to  not  provide  honest  feedback.  To  alleviate 
this  situation,  researchers  have  proposed  a  number  of  privacy-preserving  decentralized 
reputation  systems  (PDRS).  In  such  systems,  instead  of  providing  their  reputation 
information  directly  to  pi,  the  parties  in  U  run  a  protocol  which  allows  them  to  jointly 
compute  a  function  of  each  of  their  individual  reputation  values  about  p^  (typically  they 
compute  the  sum)  and  then  reveal  the  result  of  the  computation  to  p,.  The  protocol  run  by 
the  parties  is  specifically  designed  so  that  they  have  strong  assurances  that  their  reputation 
information  has  been  kept  private.  Examples  of  such  can  be  found  in  [64-68]. 

All  existing  PDRS  fall  into  the  category  of  static  PDRS.  Static  means  that  when  a  party 
leaves  the  network,  all  of  the  reputation  information  they  have  built  up  through  interactions 
with  others  in  the  network  leaves  with  them.  In  situations  where  reputation  information  is 
sparse,  however,  this  can  be  a  big  problem.  The  security  of  these  systems  is  often  based 
on  there  being  a  sufficiently  large  number  of  parties  in  the  query  set  U,  some  fraction  of 
which  must  be  honest.  This  section  presents  a  dynamic,  privacy-preserving  decentralized 
reputation  system  (Dyn-PDRS)  as  a  solution  to  this  problem.  A  Dyn-PDRS  enables  parties 
to  run  a  delegation  protocol  when  they  want  to  leave  the  network.  In  this  protocol,  they 
delegate  their  reputation  information  to  a  set,  D,  of  other  parties  in  the  network.  The 
delegation  is  done  in  such  a  way  that  the  party’s  privacy  is  still  maintained.  That  party  is 
then  free  to  leave  the  network.  When  that  party  appears  in  a  query  set  U,  the  parties  in  D 
are  able  to  act  on  its  behalf.  Furthermore,  a  Dyn-PDRS  provides  a  redelegation  protocol 
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which  is  run  when  a  party  in  D  wants  to  leave  the  network.  This  allows  the  parties  in  D  to 
redelegate  to  a  new  set  D' .  That  set  D'  can  then  act  on  the  original  party’s  behalf. 

This  section  presents  the  following  contributions. 

1.  A  description  of  existing  PDRS  from  the  literature  and  an  illustration  of  how  these 
systems  fail  when  parties  are  allowed  to  leave  the  network. 

2.  A  more  formal  definition  of  PDRS  and  Dyn-PDRS  and  a  description  of  the  problem 
setting. 

3.  Four  protocols  for  building  a  Dyn-PDRS.  The  first  is  necessary  for  a  PDRS  and  is 
similar  to  existing  work  in  the  area.  The  next  three  are  necessary  to  build  the  Dyn- 
PDRS. 

4.  Correctness  and  security  analysis  of  the  protocols. 

The  protocols  are  secure  in  the  honest-but-curious  or  semi- honest  adversary  model  [40]. 
This  model  assumes  that  corrupt  parties  execute  the  protocol  as  specified,  but  use  any  infor¬ 
mation  gleaned  during  execution  to  attempt  to  violate  another  party’s  privacy.  This  section 
presents  results  of  a  number  of  simulations  to  illustrate  the  benefits  of  a  Dyn-PDRS  over 
the  traditional  PDRS.  While  the  delegation  and  redelegation  protocols  given  can  be  run  in¬ 
definitely,  it  turns  out  this  can  have  a  major  impact  on  security.  Section  4.2.6  formalizes  the 
issue  and  presents  two  delegation  strategies  for  dealing  with  it.  Section  4.2.7  describes  an 
implementation  of  the  protocols,  and  Section  4.2.8  describes  timing  experiments  conducted 
using  the  implementation. 

4.2.2  Related  Work. 

A  number  of  protocols  have  been  proposed  to  construct  PDRS.  This  section  describes 
some  of  the  prominent  ones  and  comments  on  why  the  problem  of  operating  in  networks 
where  parties  are  constantly  leaving  and  rejoining  the  network  is  a  concern.  The  description 
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focuses  on  protocols  which  are  secure  in  the  honest-but-curious  model  as  that  is  the  model 
used  in  this  section. 

4.2.2. 1  Pavlov  etal. 

One  of  the  earliest  works  in  privacy-preserving  decentralized  reputation  systems 
comes  from  Pavlov  et  al.  [64].  An  important  proof  coming  from  this  work  is  that 
if  the  querying  node  is  corrupt,  there  must  be  at  least  two  honest  nodes  or  privacy 
cannot  be  achieved.  The  authors  also  present  three  protocols  (of  varying  strengths  and 
security  guarantees)  which  enable  such  a  system.  Their  second  protocol  is  closest  to  the 
present  setting  (full-threshold  security  where  corrupt  parties  are  allowed  to  collude)  and  is 
described  below.  The  querying  party  begins  the  protocol  by  running  a  witness  selection 
scheme.  This  results  in  a  set  of  witnesses  who  will  provide  feedback  on  the  target  party 
and,  with  high  probability,  will  have  at  least  two  honest  witnesses.  The  querying  party 
sends  a  description  of  the  set  to  all  parties  in  the  set.  Each  witness  splits  his  reputation 
score  on  the  target  party  using  additive  secret  sharing  and  sends  one  share  to  each  party  in 
the  protocol  (including  the  querying  party)  and  keeps  one  share  for  himself.  Once  a  party 
has  gathered  shares  from  every  other  party,  he  sums  them  all  up  and  sends  the  result  to 
the  querying  party.  The  querying  party  then  sums  all  the  values  he  receives  to  recover  the 
sum  of  the  reputation  values.  For  security  and  correctness  proofs  of  this  protocol,  see  the 
original  work  by  Pavlov  et  al. 

In  the  case  of  dynamic  networks,  the  problem  with  Pavlov’s  protocol  is  that,  while 
honest  parties  which  could  provide  feedback  for  a  particular  target  party  will  come  and 
go  due  to  normal  churn  in  the  network,  dishonest  parties  will  not  necessarily  follow  this 
pattern,  making  them  more  likely  to  be  chosen  as  witnesses.  Pavlov  et  al.  prove  their 
witness  selection  scheme  will  result  in  a  witness  set  with  at  least  two  honest  witnesses  with 
probability  greater  than  (1  -  ^)(^~j^~^),  where  n  is  the  number  of  witnesses,  N  is  the  number 


43 


of  possible  witnesses  (i.e.,  the  number  of  parties  with  reputation  information  on  the  target), 
and  b  is  the  number  of  corrupt  parties. 

For  Pavlov’s  protocol,  a  dynamic  network  has  the  effect  of  lowering  N  while  b  remains 
constant.  Figure  4.6  shows  how  this  affects  the  probability  of  having  at  least  two  honest 
witnesses.  The  probability  for  a  hypothetical  static  network  is  also  shown  in  the  figure  for 
reference.  Here,  the  fraction  of  corrupt  parties  is  fixed  at  0.1  and  the  size  of  the  witness  set 
is  one-tenth  of  the  original  network  size.  It  is  clear  that  the  dynamic  nature  of  the  network 
has  a  significant  impact  on  the  security  of  Pavlov’s  protocol. 


Existing  PDRS  in  dynamic  network 


Figure  4.6:  Comparison  of  security  for  Pavlov’s  protocol  [64]  in  static  vs.  dynamic 
networks. 


4.2.2.2  Hasan  et  al. 

Hasan  et  al.  [65]  propose  the  k-shares  reputation  protocol  which  builds  upon  the 
work  of  Pavlov  et  al.  The  benefit  of  the  k- shares  protocol  is  that  witnesses  are  able  to 
maximize  and  quantify  the  probability  that  their  reputation  information  is  kept  private.  In 
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this  protocol,  the  querying  agent  chooses  a  set  of  witnesses  (the  exact  method  for  this  is  not 
specified  in  the  paper).  The  description  of  the  set  of  witnesses  is  sent  to  each  witness.  Each 
witness  chooses  a  subset  of  the  witnesses  of  size  up  to  k  which  he  considers  trustworthy. 
The  witness  then  shares  their  reputation  information  with  the  subset  using  additive  secret 
sharing  and  sends  the  description  of  the  subset  to  the  querying  party.  The  querying  party 
informs  each  witness  who  they  will  receive  shares  from.  Each  witness,  upon  receiving 
shares  from  other  witnesses,  sums  them  up  and  sends  the  result  to  the  querying  party.  The 
querying  party  sums  all  of  these  values  to  get  the  sum  of  the  reputation  values.  Note  that  if 
a  witness  decides  to,  he  may  choose  not  to  input  his  reputation  information  if  he  does  not 
trust  enough  parties  in  the  witness  set.  Eurthermore,  since  each  witness  is  selecting  up  to  k 
other  witnesses  that  he  trusts,  the  authors  note  that  this  leaks  some  information  about  trust 
relationships  (but  not  specific  reputation  information).  The  authors  propose  solving  this  by 
allowing  the  querying  party  to  add  a  few  untrusted  parties  to  the  subset  and  then  selecting 
the  same  subset  for  repeated  queries. 

Consider  the  operation  of  Hasan’s  protocol  in  a  dynamic  network.  As  the  authors 
do  not  specify  how  the  set  of  witnesses  is  chosen,  assume  it  happens  in  the  same  manner 
as  in  Pavlov’s  protocol.  In  Hasan’s  protocol,  as  fewer  and  fewer  honest  witnesses  are 
available,  the  remaining  honest  witnesses  will  likely  refuse  to  take  part  in  the  computation, 
thus  preserving  their  privacy.  Note,  however,  that  the  fact  that  more  honest  parties  are 
refusing  to  participate  in  reputation  computations  is  not  a  good  thing  for  the  system  as  a 
whole.  Another  issue  arises  when  attempting  to  use  Hasan’s  protocol  in  a  dynamic  network. 
In  order  to  provide  high  efficiency,  the  authors  require  that  k  «  n,  where  n  is  the  size  of  the 
witness  set  and  k  is  the  maximum  size  of  the  subsets  chosen  by  each  witness.  In  a  dynamic 
network,  it  is  possible  that  this  inequality  cannot  be  met  as  the  number  of  available  (i.e., 
currently  part  of  the  network)  witnesses  could  be  much  smaller  than  in  an  entirely  static 
network. 
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4.2.23  Other  Protocols. 


A  number  of  other  decentralized,  privacy-preserving  reputation  systems  have  been 
proposed  in  the  literature  (e.g.,  [66,  67]).  Of  the  other  protocols  available,  all  have  similar 
issues  with  regards  to  dynamic  networks.  In  particular,  the  fact  that  reputation  information 
from  trustworthy  parties  may  not  be  available  at  query  time  impacts  the  security  of 
existing  reputation  systems.  This  illustrates  the  importance  of  availability  in  decentralized 
reputation  systems  in  general.  The  solution  to  the  problem  is  non-trivial  as  privacy  of 
reputation  information  used  to  help  the  querying  party  compute  a  reputation  value  for  the 
target  party  must  also  be  preserved. 

4.2.3  Problem  Setting  and  Definitions. 

The  problem  area  is  that  of  computing  reputation  in  a  privacy-preserving  manner,  in 
dynamic,  decentralized  networks.  This  section  defines  the  working  environment  and  other 
important  details  of  the  setup.  Some  details  are  abstracted  in  order  to  focus  on  building 
solid  protocols  to  enable  such  a  reputation  system. 

Let  P  be  the  set  of  parties  which  form  the  network.  Parties  in  P  may  leave  and  join 
the  network  as  they  please.  Assume  that  each  pair,  pj  e  P,  is  connected  by  a  secure, 
authenticated  channel.  Party  p,  stores  reputation  information  that  it  has  generated  about 
another  party  pj,  say  v,y.  Let  v,y  be  between  0  and  some  global  maximum  reputation  Vmax  if 
Pi  has  reputation  information  on  pj,  otherwise,  =  -L. 

Decentralized  reputation  systems  are  useful  in  the  case  where  p,  needs  to  interact  with 
some  pk  but  =  J..  In  this  case,  Pi  forms  a  set  t/  c  P  and  queries  parties  in  U  about  p^  to 
help  it  compute  Vik.  For  example,  if  Vik  =  Tjpjeu  ^jk  the  system  is  additive.  Such  a  system 
is  also  privacy-preserving  if  it  fits  the  following  definition. 

Definition  1  (Privacy-preserving  Decentralized  Reputation  System  (PDRS)).  A  (additive) 
PDRS  consists  of  a  decentralized  protocol  Kadd  which  allows  a  querying  party,  pt,  to 
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compute  Vik  =  Hpjeu'^jh  without  any  of  the  v  values  being  leaked  to  any  other  party. 
Here  U  is  the  query  set  and  is  chosen  by  pi. 

Definition  2  (Additive  Secret  Sharing).  Let  G  be  a  cyclic  group.  The  additive  secret 
sharing  of  s  &  G  are  the  shares  5i, . . . ,  e  G  such  that 

1.  5  =  +  52  -I - +  Sn  and 

2.  si,  S2, .  ■ . ,  Sn-i  are  chosen  at  random  from  G  and 

3.  5„  =  5  -  (5i  +  52  +  •  •  •  +  ^n-l). 

Let  Sn  :  G  ^  G^  be  the  additive  secret  sharing  function  which  outputs  n  shares  of  the 
input,  that  is,  Sn(s)  =  (5i, . . . ,  s„).  Let  5„(5)[/]  be  the  i-th  share  of  s.  Given  the  n  shares, 
one  can  reconstruct  s  simply  by  adding  the  shares  together. 

Additive  secret  sharing,  defined  above,  has  been  used  in  a  number  of  general  secure 
multiparty  computation  protocols  as  a  way  to  preserve  privacy  [43,  69],  and  is  used  the 
Dyn-PDRS  presented  in  this  section.  It  is  linear,  i.e,  given  shares  of  two  values,  one 
can  compute  a  share  of  the  sum  of  those  values  without  inverting  the  sharing  function, 
or  mathematically 

Sn(s)[i]  +  Sn(s')[i]  =  Sn(s  +  5')[1]. 

Furthermore,  any  adversary  who  does  not  know  all  the  shares  cannot  compute  the  secret.  In 
fact,  an  adversary  with  up  to  n  -  1  shares  gains  no  additional  information  about  5.  In  other 
words,  additive  secret  sharing  is  information-theoretically  secure.  The  subscript  is  omitted 
when  it  is  clear  from  the  context. 

Definition  3  (Dynamic,  Privacy-preserving  Decentralized  Reputation  System  (Dyn-PDRS)). 
A  (additive)  Dyn-PDRS  consists  of  a  protocol  nadd  cis  in  Definition  1  and  three  additional 
protocols:  Jidei,  7^ act  and  Tire  del-  Where  Jidei  allows  a  party  to  delegate  the  reputation  informa¬ 
tion  it  holds  to  a  set  of  parties  D  while  still  preserving  the  privacy  of  that  information.  The 
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protocol  TTact  ollows  u  sct  of parties  who  have  been  authorized  to  act  on  another  party’s  be¬ 
half  to  enter  that  party’s  information  into  the  protocol  nadd  while  still  preserving  the  party’s 
privacy.  Finally,  the  protocol  n  re  del  lets  a  set  of  parties,  say  D,  re-delegate  reputation  infor¬ 
mation  that  was  delegated  to  it  to  another  set  of  parties,  say  D',  in  a  way  which  maintains 
the  privacy  of  the  information. 

The  next  section  gives  specific  instances  of  these  protocols  and  how  they  are 
composed  to  form  a  Dyn-PDRS.  There  is  some  tradeoff  to  be  balanced  in  delegation. 
Section  4.2.6  explores  delegation  strategies  in  order  to  balance  the  tradeoff  between 
information  availability  and  privacy. 

4.2.4  Protocols. 

This  section  presents  the  four  protocols  introduced  earlier.  This  section  first  presents 
Tiadd,  the  protocol  to  allow  pi  to  use  the  set  U  to  compute  Vik  =  Jjpjeu  '^jk  privately. 
The  summation  is  computed  via  a  simple  multiparty  computation  built  on  additive  secret 
sharing.  The  concept  is  similar  to  previous  work  in  decentralized  reputation  systems  and 
has  similar  performance  characteristics,  iiadd  by  itself  could  be  used  as  the  basis  of  a 
PDRS.  It  is  important  to  note  that  in  a  Dyn-PDRS,  since  delegations  are  allowed,  the  set 
U  may  contain  parties  which  are  not  currently  online,  as  long  as  the  party  has  delegated 
its  reputation  information.  The  set  U  can  be  generated  using  methods  from  prior  work, 
for  example,  Pavlov’s  witness  selection  protocol.  All  parties  in  U  must  have  reputation 
information  on  the  target,  p^. 

Next,  this  section  presents  the  remaining  three  protocols,  ndei,  T^act  and  nredei  to  enable 
privacy-preserving  delegation.  Together,  these  protocols  enable  a  reputation  system  where 
parties  can  leave  the  network,  yet  delegate  their  reputation  information  in  such  a  way  that 
it  can  still  be  used  to  assist  other  parties  in  computing  reputation.  Some  details  of  the 
underlying  communication  system  and  about  how  the  protocols  interact  are  kept  abstract 
to  keep  the  discussion  focused  on  the  protocols  themselves.  Section  4.2.7  describes  the 
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implementation  of  these  protocols  in  a  real  system  and  describe  these  parts  in  more  detail. 
In  a  general  sense,  the  security  of  the  protocols  are  secure  for  up  to  u  -  1  corrupt  parties. 
However,  due  to  the  specific  computation,  summation,  n  -  I  corrupt  parties  can  learn  the 
remaining  honest  party’s  input  by  subtracting  their  individual  inputs  from  the  output.  Only 
the  querying  party  should  learn  the  output,  so  if  the  querying  party  is  corrupt,  there  must  be 
at  least  two  honest  parties  in  U.  For  simplicity  the  protocols  are  presented  as  if  the  querying 
party  is  honest.  In  the  case  of  a  dishonest  querying  party,  the  only  thing  that  changes  is  the 
number  of  corruptions  tolerated. 

4.2.4.1  The  PDRS  Protocol. 

Let  Pi  be  the  querying  party,  who  wants  to  compute  for  some  party  pi^.  Let  U  be  the 
set  of  witnesses  with  inputs  to  the  computation.  The  protocol  Tiadd  is  shown  in  Protocol  1. 
Note  that  while  not  identical  to  previously  proposed  protocols  for  PDRS,  the  protocol  is 
very  similar,  and,  taken  in  its  own  right,  should  have  similar  performance. 

Correctness:  The  correctness  of  the  protocol  is  guaranteed  due  to  the  linear  nature  of 
additive  secret  sharing.  Mathematically,  Jjpjeu  where  addition  is  performed  point- 

wise  on  the  sharing  vectors,  is  equal  to  S  (Yjpjeu  ^jk)-  These  shares  are,  in  essence,  what  the 
parties  in  U  send  to  pi  in  the  next  to  last  step.  So, 

Z  ^  z 

PjeU  pjeU 

Security:  The  security  of  the  protocol  comes  from  the  security  guarantees  of  additive 
secret  sharing.  As  long  as  the  adversary  has  not  corrupted  all  of  U,  all  of  the  individual 
reputation  values  vjk  as  well  as  the  output  value  Vik  are  kept  private. 

4.2.4.2  The  Dyn-PDRS  Protocols. 

Say  party  pe  &  P  is  leaving  the  network.  In  order  to  not  lose  all  the  reputation 
information  of  pp,  this  section,  proposes  the  necessary  protocols  to  allow  pp  to  delegate 
its  reputation  information  to  a  set  of  parties  D  <z  P.  This  includes  a  protocol  to  allow  the 
parties  in  D  to  act  on  behalf  of  pe  whenever  pe  appears  in  a  query  set  U,  a  protocol  to 
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Protocol  1  Uadd- _ 

1.  Pq  sends  the  description  of  the  set  of  witnesses  U  and  the  identity  pt  to  each  party  in 

U. 

2.  Each  pj  6  U  computes  (^i, . . . ,  5|(/|)  =  5|c/|(vjf)  and  sends  one  share  to  each  other 
party  in  U  and  keeps  one  share  for  himself. 

3.  Each  Pj  collects  one  share  from  each  of  the  other  parties  in  U.  Eet  (ri, . . . ,  r\u\)  be 
the  shares  pj  collects  (including  his  own  share). 

4.  Each  Pj  then  computes  tj  =  +  r2  +  ■  ■  ■  +  r\u\  and  sends  tj  to  pi. 

5.  Party  pi  receives  \  U\  shares,  tj  from  pj  e  U,  and  sets  vu  =  Tipjeu  0- 


allow  the  parties  in  D  to  transfer  the  delegation  of  pis  reputation  information  to  a  new 
set  D' .  This  protocol  is  used  when  a  party  in  D  is  leaving  the  network.  D  and  D'  may 
be  of  different  sizes,  overlap  or  be  completely  independent.  When  pt  rejoins  the  network, 
the  parties  in  D  can  simply  discard  pis  reputation  information.  It  would  be  fairly  simple, 
however,  to  also  allow  the  parties  in  D  to  return  the  reputation  information  back  to  pf.  Eor 
now,  let  the  set  D  be  chosen  at  random.  Section  4.2.6  explores  other  methods  for  choosing 
D  and  the  redelegation  sets. 

Protocol  2  describes  Tidei-  The  correctness  and  security  of  this  protocol  come  directly 
from  the  correctness  and  security  of  additive  secret  sharing,  discussed  earlier.  As  long  as 
the  adversary  does  not  control  all  of  the  parties  in  D,  pis  reputation  information  is  kept 
private. 

Once  the  parties  in  D  have  received  the  information  sent  by  p(  in  Protocol  2  and 
verified  the  digital  signature,  they  are  ready  to  act  on  his  behalf.  At  some  later  point  in  time 
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Protocol  2  Udel- 

1.  pt  chooses  a  set  of  delegates  D  c  P. 

2.  For  each  pj  e  P  where  v^j  ± 

Pi  computes  shares j  =  Sm(vij)  and  sends  the  identity  j  and  one  share  to  each 
party  in  D. 

3.  Pi  digitally  signs  a  message  signifying  that  it  has  delegated  its  reputation  information 
to  the  set  D  and  sends  the  message  and  signature  to  each  party  in  D  . 


they  will  see  a  query  set  U  that  contains  Pi  when  a  party,  say  p,,  initiates  Protocol  1.  At 
this  point  the  parties  in  D  run  jTact,  shown  in  Protocol  3. 

At  the  end  of  Protocol  3,  the  parties  in  U'  can  complete  the  execution  of  Protocol  1. 
Some  interesting  features  of  the  protocol  are  that  not  all  of  D  is  required  to  participate  in 
the  execution  of  Protocol  1  and  that  the  trust  value  va  is  never  revealed,  either  to  the  parties 
in  D  or  the  parties  in  U'. 

Correctness:  From  Protocol  2,  the  parties  in  D  hold  shares  of  the  reputation  value 
vtk,  say  sharesk  =  i.d\, . . . ,  d\D\)  where  Vik  =  di  +  •  •  •  +  d\D\.  These  shares  are  then  split  into 
subshares  and  distributed  to  the  parties  in  U' .  In  other  words,  dj  is  split  into  J'j, . . . ,  d'j^jj,^. 
Notice  that  the  sum  of  all  the  subshares  for  every  dj  is  still  va-  One  subshare  of  each  dj  is 
sent  to  one  party  in  U'.  Since  addition  is  commutative,  it  turns  out  that  the  sum  of  all  the 
shares  computed  in  Step  6  of  the  protocol  is  still  V(k-  Thus,  the  parties  in  U'  have  additive 
shares  of  as  needed  for  the  protocol  to  be  correct. 

Security:  Protocol  3  is  secure  from  the  perspective  that  it  does  not  give  the  adversary 
any  additional  information  about  v«.  This  is  shown  in  the  worst  case,  i.e.,  when  the 
adversary  controls  all  parties  but  one  in  D  and  all  parties  but  one  in  U'.  Security  in  the 
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Protocol  3  Tlacf 

1.  The  parties  in  D  notify  the  parties  in  U  that  they  are  to  act  on  behalf  of  pt  by  sending 
them  the  message  and  digital  signature  received  from  pt. 

2.  Parties  in  D  select  one  of  them  to  take  p/’s  place  in  the  set  U  and  notifies  the  parties 
in  U  of  this  choice. 

3.  The  parties  in  U  validate  the  digital  signature  and  replace  pe  in  the  set  U  with  the 
party  chosen  in  the  previous  step.  Call  this  new  set  U' . 

4.  The  parties  in  U  use  the  set  U'  for  sharing  when  continuing  Protocol  1  with  the 
exception  of  computing  re  (the  input  shares  that  would  have  come  from  pe). 

5.  Each  party  in  D  takes  its  share  of  sharesk,  say  Sk,  received  in  Protocol  2  and  computes 
(5i, . . . ,  5|(//|)  =  S |{7'|(5a:)  and  sends  one  share  to  each  party  in  U' . 

6.  Each  party  in  U'  receives  \D\  shares  from  the  previous  step.  Call  these  shares 
(/j, . . . ,  They  then  compute  re  =  5'  +  •  •  •  +  5|^|.  re  takes  the  place  of  what 
they  would  have  received  from  pe  in  Step  3  of  Protocol  1 . 


case  that  the  adversary  controls  fewer  parties  is  an  immediate  consequence  from  worst  case 
security.  Eet  ph  &  D  and  6  U'  be  the  honest,  uncorrupted  parties  in  each  set.  Note  that 
Ph  and  p'l^  could  be  the  same  party.  In  the  protocol,  ph  will  create  a  number  of  subshares, 
one  of  which  will  be  sent  to  Since  the  adversary  will  not  know  that  share,  due  to  the 
security  of  additive  secret  sharing,  the  adversary  will  also  not  know  the  re  that  p'^  computes 
in  Step  6  of  the  protocol.  Without  that  value,  the  re  values  computed  by  the  corrupt  parties 
give  the  adversary  no  additional  information  about  This  shows  that  as  long  as  there  is 
at  least  one  uncorrupted  party  in  D  and  U',  the  protocol  leaks  no  additional  information 
about  the  private  trust  information. 
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If  a  party  in  D  leaves,  the  remaining  parties  would  not  be  able  to  act  on  pi's  behalf. 
Therefore,  before  any  party  in  D  leaves  the  network,  Tire  del  is  run,  as  shown  in  Protocol  4. 
Let  pt>  e  D  be  the  party  that  is  leaving  the  network.  Furthermore,  recall  that  from 
Protocol  2,  the  parties  in  D  hold  a  number  of  pairs  (7,  sj)  where  j  is  an  identity  of  a  party 
and  5,  is  a  share  of  vtj.  How  the  set  D'  is  chosen  will  be  explored  in  a  later  section.  For 
now,  assume  that  D'  is  a  new  random  set.  The  description  of  n re  del  focuses  on  the  case 
where  only  one  party  has  delegated  information  to  the  set  D.  The  protocol  can  easily  be 
adapted  to  the  case  where  multiple  parties  have  delegated  to  D  by  running  it  once  for  each 
party  that  has  left  the  network  and  delegated  to  D. 

Thus,  by  doing  something  similar  to  what  was  done  in  Protocol  3,  i.e.,  creating  and 
distributing  subshares,  the  parties  in  D  are  able  to  transfer  all  delegated  information  they 
hold  for  p(  to  the  set  D'  without  revealing  the  values.  Given  the  results  of  this  protocol, 
simple  modifications  can  be  made  to  Protocol  3  to  allow  the  set  U  to  properly  validate  that 
D'  is  authorized  to  act  on  p/s  behalf.  Correctness  and  security  proofs  for  this  protocol 
follow  a  similar  logic  that  was  used  in  Protocol  3. 

4.2.5  Simulation. 

The  protocols  shown  in  the  previous  section  can  be  used  to  build  a  dynamic,  privacy¬ 
preserving  decentralized  reputation  system  (Dyn-PDRS).  This  section  shows  the  utility  of 
increasing  availability  in  decentralized  reputation  systems  through  a  number  of  simulations. 
In  order  to  establish  a  comparison  with  previous  work,  simulation  for  no  delegation 
of  reputation  information  is  also  given.  This  is  what  all  previous  privacy-preserving 
decentralized  reputation  systems  do.  Thus,  in  a  network  with  churn,  the  reputation 
information  of  parties  leaves  when  the  parties  leave  the  network.  Table  4.3  summarizes 
all  the  symbols  used  in  this  section. 
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Protocol  4  n re  del- _ 

1.  pt'  sends  a  message  to  all  other  parties  in  D  that  it  is  leaving  the  network. 

2.  The  parties  in  D  select  a  new  set  D'  which  will  be  responsible  for  acting  on  behalf  of 
Pt- 

3.  Each  party  in  D  creates  subshares  of  each  Sj  it  holds  and  distributes  one  subshare  to 
each  party  in  D'  along  with  the  identity  j. 

4.  For  each  j,  each  party  in  D'  receives  one  subshare  sj  from  each  party  in  D  and  stores 
the  sum  of  these  subshares  along  with  j.  The  sum  of  these  subshares  is  a  new  share 
of  Vfj. 

5.  Parties  in  D  also  send  the  message  and  digital  signature  they  received  from  pf  to  the 
parties  in  D' .  They  also  each  digitally  sign  a  message  stating  that  they  are  transferring 
delegation  of  p/s  reputation  information  to  D'. 


4.2.5. 1  The  Setup. 

For  the  simulation,  let  N  be  the  total  number  of  parties  in  the  network,  a  be  the 
probability  that  a  party  is  in  the  network  during  one  iteration  of  the  simulation  (1  -  a  is 
the  probability  that  they  are  not  in  the  network).  Fet  c  be  the  fraction  of  corrupt  parties. 
The  reputation  system  initializes  by  giving  each  party  some  reputation  information  on  other 
parties  in  the  network.  Fet  b  be  the  fraction  of  parties  for  which  a  given  party  holds 
reputation  information  at  the  start  of  the  simulation. 

At  each  iteration  of  the  simulation  some  fraction,  q,  of  the  parties  in  the  network 
ask  for  reputation  information  on  some  other  in-network  party.  Also,  in  each  iteration, 
some  fraction,  y,  of  the  network  leaves  or  rejoins  the  network.  Parties  (both  those  in 
the  network  and  those  out  of  the  network)  will  leave  the  network  with  probability  \  -  a 
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Table  4.3:  Table  of  symbols  for  simulator. 


Symbol 

Description 

N 

Number  of  parties  in  the  network 

a 

In-network  probability 

c 

Fraction  of  corrupt  parties 

b 

Fraction  of  information  to  bootstrap 

q 

Fraction  that  query  in  an  iteration 

\D\ 

Cardinality  of  the  delegation  set  D 

5 

Bound  on  delegation  chain  depth 

y 

Network  churn  rate 

or  join  the  network  (if  they  were  already  gone)  with  probability  a.  With  a  =  1  a  static 
network  is  achieved.  As  seen  previously,  when  a  party  leaves  the  network,  they  delegate 
their  reputation  information  to  a  delegation  set.  If  someone  in  that  set  leaves  before  the 
original  party  returns  to  the  network,  a  redelegation  occurs.  Let  5  be  the  bound  on  the  total 
number  of  delegations  and  redelegations.  Bounding  depth  of  the  delegation  chain  affects 
both  efficiency  and  security.  Let  5  be  the  bound  on  the  depth  of  the  delegation  chain.  In 
other  words,  if  d  =  I,  when  pi  leaves  the  network,  he  will  delegate  his  trust  information  to 
some  set  D.  When  one  of  the  parties  in  D  leaves  the  network,  they  do  not  do  any  further 
delegations.  With  6  =  2,  pt  would  delegate  to  a  set  D  who,  in  turn,  would  delegate  to 
a  set  D'  when  a  party  in  D  is  leaving  the  network,  but  the  chain  would  end  there.  When 
Pt  returns  to  the  network  the  delegation  chain  resets  (i.e.,  delegation  would  occur  again  if 
Pe  left  again).  In  effect,  existing  privacy-preserving  decentralized  reputation  systems  have 
d  =  0,  i.e.,  no  delegation. 
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4.2.5. 2  Varied  6. 


This  section  shows  how  6  affects  the  level  of  information  availability  achieved  by 
the  Dyn-PDRS.  Figure  4.7  shows  a  simulation  with  N  =  10000,  a  =  0.75,  c  =  0.2, 
b  =  0.05,  q  =  0.05,  \D\  =  5,  y  =  0.25  and  various  values  for  6.  The  static  network 
represents  the  theoretical  upper  bound,  for  reference.  Information  availablity  is  the  fraction 
of  information  available  by  counting  the  total  number  of  reputation  values  available  in  the 
network  (either  directly  from  a  party  or  through  delegation)  divided  by  the  total  possible 
number  of  reputation  values  (N^  -  N). 

Dyn-PDRS  Simulation  for  various  6 


Figure  4.7:  Information  availability  for  various  delegation  depths  (a  =  0.75). 


The  figure  shows  that  even  with  d  =  1  there  is  a  significant  increase  in  the  amount 
of  available  information.  Furthermore,  with  d  =  4  the  information  availability  in  the 
simulated  Dyn-PDRS  is  very  close  to  that  of  the  fully  static  network.  This  plot  illustrates 
how  effective  simple  delegation  can  be  in  a  reputation  system. 
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Dyn-PDRS  Simulation  with  decreased  a 


Figure  4.8:  Information  availability  for  various  delegation  depths  (a  =  0.50). 


4.2.5.3  Varied  a. 

This  section  describes  how  changing  a  affects  information  availability.  Figure  4.8 
repeats  the  previous  simulation  but  lowers  a  to  0.5.  There  is  still  a  significant  advantage 
in  delegating  reputation  information,  but  it  takes  a  longer  delegation  chain  to  approach  the 
static  system.  In  essence,  the  effect  of  a  lower  probability  of  availability  of  the  parties  is 
a  slower  growth  of  information  availability  in  the  system  over  time.  To  combat  this  in  a 
deployed  system,  a  deeper  delegation  chain  can  be  used. 

4.2.5.4  Varied  y. 

The  next  simulation  focuses  on  various  values  for  y.  Recall  that  y  specifies  what 
fraction  of  the  parties  might  change  their  network  status.  This  relates  to  the  churn  of  the 
network.  At  each  iteration  of  the  simulation,  yN  of  the  parties  will  flip  a  weighted  coin 
to  determine  if  they  should  be  in  the  network  (either  join  the  network  if  they  were  out,  or 
stay  in),  a  specifies  the  probability  that  the  party  should  stay  in  or  join  the  network.  Other 
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parameters  are  fixed  at  =  10000,  a  =  0.75,  c  =  0.2,  b  =  0.05,  q  =  0.05,  |D|  =  5  and 
6  =  4.  The  simulation  uses  the  following  values  for  y:  0.25,  0.50,  0.75,  1.00.  The  results 
are  shown  in  Figure  4.9.  The  plot  includes  the  line  for  the  static  network  for  reference. 

Dyn-PDRS  Simulation  for  various  y 


Figure  4.9:  Information  availability  plot  with  various  churn  rates. 


The  figure  that,  surprisingly,  the  churn  rate  has  little  effect  on  information  availability. 
To  understand  why  this  is  the  case,  consider  what  happens  when  y  is  high.  Parties  are 
more  likely  to  leave  the  network,  so  they  will  have  to  delegate  their  reputation  information. 
They  are  also,  however,  more  likely  to  come  back  quickly,  which  means  the  delegation 
chain  limit  is  less  likely  to  be  reached.  Contrast  this  with  the  case  where  y  is  low.  Parties 
are  less  likely  to  leave  the  network,  so  they  will  not  have  to  delegate  their  information  as 
often.  When  they  do  leave,  however,  they  stay  out  longer.  But,  since  the  parties  in  their 
delegation  (and  redelegation)  set  are  less  likely  to  leave  also,  the  delegation  chain  will  not 
grow  as  quickly. 
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Dyn-PDRS  Simulation  for  various  |D| 


Figure  4.10:  Information  availability  plot  with  various  delegation  set  sizes. 


4.2.5. 5  Varied  |Z)|. 

This  section  describes  the  effect  of  the  size  of  the  delegation  and  redelegation  sets  on 
information  availability.  For  simplicity,  assume  that  the  size  of  the  delegation  set  and  the 
redelegation  sets  are  the  same.  Figure  4.10  shows  the  results  of  this  simulation.  This  plot 
also  shows  the  static  network  for  reference.  The  figure  shows  that  the  size  of  the  delegation 
set  indeed  has  an  effect  on  information  availability.  The  effect  is  not  drastic,  but  at  the 
same  time  is  non-negligible.  The  reason  for  lower  information  availability  as  \D\  increases 
is  that  there  are  more  parties  who  can  cause  redelegations,  thus,  it  is  more  likely  that  the 
delegation  chain  depth  limit  is  reached. 

4.2.5. 6  Discussion. 

From  the  previous  simulations,  it  is  clear  that  different  parameters  affect  information 
availability  differently.  Network  chum  has  little  to  no  effect  on  information  availability,  but 
the  in-network  probability  and  the  delegation  chain  depth  can  both  have  significant  impacts. 
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Increasing  6  increases  the  y-intercepts  and  the  slopes  of  the  lines  in  Figure  4.7.  Comparing 
that  figure  with  Figure  4.8,  one  can  see  that  decreasing  a  decreases  the  y-intercept  and  the 
slope.  Increasing  chum,  y,  has  little  to  no  effect  on  either  the  y-intercepts  or  the  slopes  of 
the  lines  in  Figure  4.9.  Finally,  increasing  |D|  causes  only  a  small  decrease  in  both  the  y- 
intercepts  and  the  slopes  of  the  lines  in  Figure  4. 10.  Therefore,  one  can  see  that  while  the  in- 
network  probability  has  the  biggest  negative  impact  on  information  availability,  increasing 
the  delegation  chain  depth  limit  can  be  a  viable  way  to  significantly  increase  information 
availability. 

4.2.6  Delegation  Strategies. 

Consider  a  simple  delegation  strategy  in  which  chooses  a  random  set  D,  and  any 
time  TTredei  is  run,  a  new  random  set  D'  is  chosen.  With  each  delegation  (or  redelegation), 
there  is  some  chance  that  the  delegated  information  will  leak.  This  happens  when  all 
parties  in  the  delegation  set  are  corrupt.  Let  |D|  be  the  size  of  the  delegation  set,  which,  for 
simplicity,  is  assumed  to  be  constant,  but  the  protocols  will  work  for  different  sized  sets. 
Therefore,  there  are  sets  of  size  \D\  for  which  all  parties  in  the  set  are  corrupt.  (4.1) 
gives  the  probability  of  choosing  a  delegation  set  where  all  parties  are  corrupt,  or  in  other 
words,  the  probability  of  a  single  delegation  (or  redelegation)  resulting  in  leaking  private 
reputation  information  given  the  delegation  strategy  just  described. 


probJeak  = 


(caN\ 

\\D\) 

Imi) 


(4.1) 


Using  the  parameters  from  the  first  simulation,  (A^=  10000,  a  =  0.75,  c  =  0.2  and 
|Z)|=5),  probJeak  ~  0.0003.  Therefore,  with  1700  delegations  or  redelegations  total,  the 
probability  that  the  private  reputation  information  would  have  leaked  is  0.0003(1700)  = 
0.51.  With  high  chum  rates  in  a  network,  one  can  expect  a  lot  of  delegations  and 
redelegations  and  would  have  to  stop  delegating  at  some  point  in  order  to  guarantee 
security.  Therefore,  a  better  delegation  strategy  is  needed.  This  sections  studies  two 
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delegation  strategies.  One  provides  strong  privaey  guarantees  but  eould  potentially  leak 
some  information  about  who  pc  trusts  (but  not  the  aetual  reputation  values).  The  other  has 
weaker  privaey  guarantees,  but  does  not  leak  information  about  who  pe  trusts. 

4.2.6. 1  Guaranteed  Privacy. 

Sinee  pi  has  reputation  information  on  other  trusted  parties  in  the  network  to  guarantee 
privaey,  this  information  helps  pt  when  ehoosing  how  delegation  should  work,  i.e.,  the 
initial  set  D  and  the  delegation  ehain  depth  6.  Let  p(  ehoose  5  aeeording  to  how  available  he 
wants  his  information  to  be  when  out  of  the  network.  For  example,  this  eould  be  determined 
based  on  the  ehurn  rate  of  the  network.  Onee  6  is  set,  pt  forms  the  set  Dh  of  parties  that 
he  trusts  the  most  (based  on  reputation  values  he  possesses)  where  the  size  of  is  [fl- 
These  parties  are  known  by  pi  to  be  honest  and  will  help  provide  strong  privaey  guarantees 
by  forming  part  of  D.  pi  also  ehooses  some  number  of  other  parties  from  the  network  at 
random,  whose  trustworthiness  is  possibly  unknown.  Call  this  set  When  pf  would  like 
to  leave  the  network,  he  runs  protoeol  ndd  with  D  =  in  network{Dh  U  D„),  where  in  network 
returns  the  subset  of  the  parameter  of  those  parties  whieh  are  eurrently  in  the  network.  At  a 
later  point  when  a  party,  say  p'^  6  D,  wants  to  leave  the  network,  the  parties  in  D  run  nredd 
with  D'  =  D-  {p'^}. 

Due  to  the  way  is  eonstrueted,  \innetwork{Dh)\  «  S.  Furthermore,  there  are 
approximately  (1  -  c)|D„|  honest  parties  in  D„.  Therefore,  at  any  moment  in  time,  the  set  D 
will  eontain  at  least  6  honest  parties.  Sinee  6  limits  the  delegation  ehain,  it  is  guaranteed  that 
there  will  always  be  at  least  one  honest  party  in  the  redelegation  sets.  Therefore,  privaey  is 
ensured. 

4.2. 6. 2  Probabilistic  Privacy. 

One  ean  make  the  delegation  strategy  simpler  by  relaxing  the  seeurity  guarantees.  Let 
Pi  ehoose  a  set  Du  at  random  of  size  ^  where  6  is  the  desired  delegation  ehain  depth  to 
ensure  some  level  of  availability.  Set  D  =  in  network(Du)  when  pc  runs  iidei-  When  the 
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parties  in  D  run  Tiredeu  they  set  D'  =  D-  {p'^}.  Due  to  the  way  Du  is  chosen,  there  should  be 
5  honest  parties  in  D  at  any  instant  in  time,  and  since  the  delegation  chain  depth  is  limited 
by  5,  there  will  always  be  at  least  one  honest  party  in  the  redelegation  sets.  In  practice,  Du 
should  be  somewhat  larger  in  order  to  have  even  stronger  assurances  of  privacy. 

4.2.63  Discussion. 

The  first  delegation  strategy  is  able  to  provide  better  privacy  guarantees  by  exploiting 
the  reputation  values  that  pi  possesses.  There  are  circumstances  where  this  could  leak 
information  about  who  pt  trusts  but  not  the  actual  reputation  values  of  p{.  This  may  or  may 
not  be  of  concern,  depending  on  the  application.  The  second  delegation  strategy  does  not 
have  this  problem,  but  is  not  able  to  provide  as  strong  of  privacy  guarantees,  though  this 
strategy  could  be  very  viable  in  networks  where  c,  the  fraction  of  corrupt  parties,  is  very 
low.  The  description  of  the  second  strategy  requires  knowledge  of  c,  which  is  a  drawback, 
but  conservative  estimates  of  c  can  likely  be  computed. 

4.2. 7  Implementation. 

This  section  presents  an  implementation  of  the  four  protocols  presented  earlier,  in 
order  to  better  understand  the  timing  characteristics  of  the  protocols.  The  implementation 
is  in  the  Python  language,  and  all  communications  take  place  using  the  Python  remote 
object  functionality  provided  by  Pyro  [70].  For  the  finite  field  for  additive  secret  sharing, 
the  implementation  uses  Z1021.  This  field  is  more  than  sufficient  as  the  maximum  reputation 
value  is  10  and  the  query  set  sizes  are  small. 

The  primary  component  of  the  implementation  is  the  Agent.  An  agent  is  a  party  in  the 
network.  Each  agent  begins  with  some  amount  of  reputation  information  on  other  parties  in 
the  network.  This  bootstraps  the  reputation  system.  While  not  done  in  the  experiments,  an 
agent  could  start  with  no  reputation  information.  Agents  register  with  the  Pyro  nameserver 
to  make  their  availability  in  the  network  known.  They  are  then  free  to  communicate  with 
each  other.  For  the  purposes  of  the  implementation,  query  and  delegation  sets  are  chosen 
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randomly  and  one  can  set  the  size  of  each  of  these  sets  programmatically.  Assume  the 
same  sizes  across  the  whole  network,  though  in  practice  they  can  differ.  For  th  delegation 
strategy,  the  redelegation  set  is  equal  to  the  previous  delegation  set  minus  the  party  that  is 
leaving.  This  sets  a  natural  bound  on  the  delegation  chain  to  be  the  size  of  the  original 
delegation  set  minus  two.  That  way  there  will  always  be  at  least  two  parties  in  the 
delegation  set.  In  practice,  one  would  need  to  be  more  careful  in  choosing  the  delegation 
set  and  setting  the  bound  on  the  delegation  chain  depth  accordingly,  as  discussed  in  the 
previous  section.  For  the  purposes  of  the  timing  experiments,  this  delegation  strategy  will 
suffice. 

4.2.8  Experimentation. 

Using  the  implementation  detailed  in  the  previous  section,  this  section  reports  on 
a  number  of  experiments  to  demonstrate  the  run-time  efficiencies  of  the  Dyn-PDRS 
protocols.  This  section,  describes  the  results.  For  the  experiments,  let  N  =  50,  a  =  0.9 
when  delegation  is  used,  s  =  0.5  and  y  =  0.1  unless  otherwise  stated.  An  explanation  of 
these  symbols  is  given  in  Table  4.3. 

Figure  4.11  shows  the  timing  information  for  running  Uadd  with  various  query  set  sizes 
and  a  fixed  delegation  set  size  (\D\  =  6).  Notice  that  the  time  to  execute  nadd  increases 
as  the  query  set  size  increases.  This  plot  also  reveals  a  lot  about  jiact-  ^act  is  called  as  a 
subroutine  of  Kadd  when  delegation  is  enabled  and  a  party  that  appears  in  the  query  set  has 
left  the  network.  In  which  case,  the  parties  in  the  delegation  set  act  on  his  behalf.  The  plot 
also  shows  the  effect  of  Tiact,  both  the  overall  time  to  execute  and  the  slope  increase.  Even 
with  a  query  set  size  of  ten,  however,  TTadd,  both  with  and  without  delegation  is  very  fast. 
Figure  4.12  shows  the  results  of  a  similar  experiment  but  this  time  varied  the  size  of  the 
delegation  set  and  fixed  the  size  of  the  query  set  to  five.  With  no  delegation,  the  delegation 
set  size  has  no  effect.  Again,  notice  how  the  time  to  execute  nadd  with  delegation  increases 
as  the  size  of  the  delegation  set  increases. 
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Figure  4.1 1:  Average  time  to  execute  Jiadd  with  varying  query  set  size  and  95%  confidence 
interval. 


Figures  4.13  and  4.14  plot  the  average  time  (with  95%  confidence  interval)  to  run 
ndei  and  n  re  del  respectively,  with  varying  delegation  set  sizes.  The  query  set  size  has  no 
effect  on  the  running  time  of  these  protocols  and  is  fixed  at  five  for  these  experiments.  In 
Figure  4.13,  notice  that  ndei  is  a  very  fast  protocol  and  increases  linearly  as  the  delegation 
set  size  increases.  Figure  4.14  reveals  that  Uredei  is  the  most  expensive  protocol  in  the 
Dyn-PDRS.  With  smaller  delegation  set  sizes,  however,  it  is  still  practical. 

All  of  the  previous  plots  showed  the  average  execution  time  over  the  entire  experiment. 
The  time  to  execute  ndei  and  n re  del  can  vary  greatly  depending  on  how  much  information 
needs  to  be  delegated  or  redelegated.  To  better  understand  how  the  amount  of  information 
affects  the  running  time  of  these  protocols,  we  plot  the  individual  data  points  collected 
during  an  experiment  in  which  s  (the  fraction  of  information  bootstrapped  into  the 
reputation  system)  is  varied  and,  upon  either  a  delegation  or  redelegation,  counted 
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Effect  of  |D|  on  Jiadd  execution  time 
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Figure  4.12:  Average  time  to  execute  nadd  with  varying  delegation  set  size  and  95% 
confidence  interval. 


the  number  of  reputation  values  being  delegated  or  redelegated  respectively.  For  this 
experiment,  the  query  set  size  is  fixed  at  five  and  the  delegation  set  size  at  six.  Figure  4.15 
shows  the  results  of  this  experiment  for  ndei  and  Figure  4.16  for  Ttredei-  Each  plot  includes 
the  linear  least  squares  regression  line.  For  both  protocols,  the  execution  time  increases 
linearly  as  the  amount  of  information  increases,  though  the  slope  of  the  line  is  much  higher 

for  TTyedel- 
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Effect  of  |D|  on  jidei  execution  time 


Figure  4.13:  Average  time  to  execute  with  varying  delegation  set  size  and  95% 
confidence  interval. 


Effect  of  \D\  on  n re  del  execution  time 


Figure  4.14:  Average  time  to  execute  nredd  with  varying  delegation  set  size  and  95% 
confidence  interval. 
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Timing  plot  for  n^ei 


Figure  4.15:  Timing  as  amount  of  information  increases  for  Udei- 


Timing  plot  for  n re  del 


Figure  4.16:  Timing  as  amount  of  information  increases  for  Uyedei- 
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V.  Adversary  Model  Tradeoffs 


Adversary  modeling  is  a  very  important  tool  in  the  design  of  seeurity  protoeols.  It 
forces  a  protoeol  designer  to  speeify  exaetly  the  eonditions  under  whieh  the  protoeol  will 
be  seeure  and  often  leads  to  a  formal  proof  of  security.  Chapter  3  shows  examples  of 
adversary  modeling  and  security  proofs.  The  two  most  common  adversary  models  are 
the  honest-but-curious  model  (or  semi-honest)  and  the  malicious  model.  Each  adversary 
model  has  its  advantages  and  disadvantages.  This  chapter  presents  methods  to  study  the 
tradeoffs  between  the  two  models.  Protocols  in  the  honest-but-curious  model  are  often 
more  lightweight  than  their  malicious  model  counterparts.  They  typically  have  lower 
computation  requirements,  lower  communication  requirements,  or  both.  The  disadvantage 
of  these  protocols  is  that  the  honest-but-curious  (HbC)  assumptions  might  not  be  realistic, 
especially  if  the  value  of  an  attack  is  high.  This  is  especially  true  in  smart  metering 
applications  where  the  meters  are  geographically  separated  and  thus,  not  under  the  physical 
protection  of  some  entity  with  a  vested  interest  in  keeping  them  safe.  That  is  why  often  HbC 
privacy  preserving  smart  metering  protocols  have  the  additional  assumption  that  devices 
tamper  resistant.  Malicious  model  protocols  are  inherently  more  resilient  and  do  not  require 
tamper  resistant  hardware,  but  often  have  a  higher  cost  in  computation  or  communication 
or  both. 

When  designing  a  privacy-preserving  system  such  as  in  the  two  applications  described 
in  Chapter  4,  choosing  a  realistic  adversary  model  given  the  context  of  the  deployed 
hardware/software  is  very  important.  Previous  research  has  not  addressed  how  much 
less  efficient  malicious  model  protocols  are,  and  what  is  the  effect  of  anti-tamper  on 
HbC  protocols.  Answering  these  questions  is  very  important  as  it  could  potentially 
have  a  major  impact  on  the  efficiency  and  security  of  the  system.  The  results  in  this 
chapter  present  analysis  of  protocols  geared  towards  the  smart  grid  application  that  use 
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three  different  paradigms  for  privacy-preserving  computation:  homomorphic  encryption, 
multiparty  computation,  and  transferable  MPC. 

5.1  Motivation 

Consider  the  problem  of  spatial  aggregation  of  load  data  in  a  network  of  N  meters 
and  one  node  called  the  sink  node.  The  sink  node  represents  the  party  authorized  to  learn 
the  final  aggregated  value.  Erkin  and  Tsudik  [55]  present  a  protocol  that  is  secure  in  the 
honest-but-curious  model  which  requires  each  meter  to  perform  one  encryption,  one  hash 
function  computation  and  generate  -  1  random  numbers.  The  aggregation  node  then 
homomorphically  aggregates  the  information  from  the  N  meters  and  decrypts  the  result. 
Garcia  and  Jacobs  [56],  on  the  other  hand,  present  a  protocol  that  is  secure  in  the  malicious 
model  which  requires  -  1  encryptions  and  one  decryption  per  meter.  Furthermore, 
the  aggregation  node  must  homomorphically  aggregate  approximately  different  values 
before  getting  the  final  result.  Clearly  the  malicious  model  protocol  requires  much  more 
computation  for  both  the  aggregation  node  (N^  aggregations  vs.  N)  and  for  the  meter  nodes 
(public -key  encryptions  vs.  random  number  generation). 

As  illustrated  by  the  previous  example,  there  are  many  tradeoffs  between  the  two 
adversary  models.  This  section  presents  methods  for  understanding  these  tradeoffs  in  two 
different  ways.  The  initial  discussion  focuses  on  existing  smart  meter  aggregation  protocols 
that  use  homomorphic  encryption  from  the  literature.  Their  respective  communication  and 
computation  requirements  when  applied  to  sample  smart  meter  hardware  is  presented. 
Next,  the  discussion  turns  to  generic  secure  multiparty  computation  protocols  that  can 
compute  almost  any  function  on  private  inputs.  Such  protocols  have  only  recently  been 
studied  for  their  application  to  the  smart  grid.  These  protocols  provide  an  interesting  avenue 
to  help  us  further  understand  the  implications  of  the  different  adversary  models  when 
developing  privacy  protocols  for  the  smart  grid.  Protocols  for  each  adversary  model  are 
studied  to  understand  their  requirements  and  compare  them  to  understand  better  adversary 
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model  tradeoffs.  Furthermore,  while  a  eomplete,  in-depth  study  of  smart  meter  anti¬ 
tampering  is  outside  the  seope  of  this  paper,  Section  5.6  presents  information  on  various 
anti-tamper  protections  that  are  likely  candidates  to  be  used  in  future  smart  meters  and 
discuss  the  costs  associated  with  each.  The  intent  here  is  not  to  say  categorically  which 
adversary  model  is  the  best,  but  instead  the  analysis  will  give  an  understanding  of  the 
issues  to  consider  when  choosing  one  adversary  model  over  the  other  and  present  methods 
for  conducting  these  analyses. 

Privacy-preserving  protocols  based  on  homomorphic  encryption  have  very  high  costs 
associated  with  moving  from  ffbC  to  malicious  model  protocols.  MPC  based  protocols 
are  richer  since  they  allow  more  complex  computations.  The  information  in  this  chapter 
presents  an  understanding  of  the  adversary  model  tradespace  in  smart  metering  systems. 
The  computations  studied  are  privately  computing  sums  of  consumption  information 
across  a  neighborhood  or  city  and  standard  deviation  of  consumption  information  across  a 
neighborhood  or  city.  This  chapter  proposes  metrics  for  comparing  fundamentally  similar 
protocols  from  different  adversary  models. 


Sink 


Figure  5.1:  Fully  Connected  Network  Model. 


For  the  protocols  of  interest  to  operate  properly,  any  network  topology  will  work  as 
long  as  every  node  can  talk  to  every  other  node.  This  can  be  accomplished  via  routing 
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or  direct  connections.  For  simplicity,  assume  a  fully  connected  topology  as  shown  in 
Figure  5.1.  The  number  of  meter  nodes  may  vary,  but  there  is  always  a  single  sink.  Meter 
nodes  use  the  Gumstix  Overo  Earth  with  a  600MHz  processor  and  256MB  of  RAM.  The 
sink  node,  is  a  computer  running  an  Intel  Core  i5-540M  CPU  and  4GB  of  RAM. 

5.2  Homomorphic  Encryption  in  Smart  Metering 

Probably  the  most  common  computation  found  in  the  literature  for  privacy  preserva¬ 
tion  in  smart  grids  is  aggregation  of  usage  measurements  over  a  spatially  separated  area 
(e.g.,  a  neighborhood  or  city).  A  number  of  proposed  protocols  attempt  to  solve  this  prob¬ 
lem.  This  study  focuses  on  two,  a  protocol  due  to  Erkin  and  Tsudik,  called  the  ET  pro¬ 
tocol  [55],  and  a  protocol  due  to  Garcia  and  Jacobs,  called  the  GJ  protocol  [56].  These 
specific  protocols  have  been  chosen  for  the  following  reasons:  (1)  they  are  built  using  ho¬ 
momorphic  encryption;  (2)  they  are  fairly  similar  in  functionality,  yet  the  ET  protocol  is 
secure  in  the  honest-but-curious  model  while  the  GJ  protocol  is  secure  in  the  malicious 
model;  and  (3)  they  fit  the  network  model  well.  By  restricting  this  section  to  protocols  that 
use  homomorphic  encryption,  recent  works  involving  differential  privacy  (e.g.,  [71])  are 
not  considered.  Other  protocols  initially  considered  include  work  by  Ei  et  al.  [59]  which 
is  secure  in  the  HbC  model  but  assumes  a  different  network  structure  from  ours  and  work 
by  Shi  et  al.  [58]  which  appears  to  be  secure  in  the  malicious  model  (though  no  adversary 
model  is  claimed  or  proven  in  the  paper)  but  uses  a  different  cipher  (a  modified  version  of 
ElGamal).  By  using  two  protocols  that  use  the  same  cipher  and  the  same  network  structure, 
effects  of  the  different  adversary  models  are  best  revealed. 

The  remainder  of  this  section  presents  an  overview  of  each  of  these  protocols  and  then 
presents  timing  measurements  for  the  basic  operations  necessary  to  carry  out  the  protocols 
as  measured  on  the  devices  in  the  example  network. 
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5.2.1  ET  Protocol. 


In  [55],  Erkin  and  Tsudik  present  protoeols  for  spatial,  temporal  and  spatio-temporal 
aggregation  in  smart  meter  networks,  eaeh  seeure  in  the  honest-but-eurious  model.  This 
seetion  reviews  only  the  spatial  aggregation  protoeol  as  it  will  be  the  only  one  used  in  the 
experimentation  and  analysis. 

The  ET  protoeol  uses  a  slightly  modified  version  of  the  Paillier  eryptosystem.  The 
modifieation  is  that  eaeh  eiphertext  has  a  noise  eomponent  added  to  it.  The  noise 
eomponents  are  generated  among  the  meters  in  sueh  a  way  that  when  all  the  eiphertexts  are 
homomorphieally  aggregated,  the  noise  disappears.  This  allows  for  eorreet  deeryption  of 
the  final  aggregated  value  while  making  deeryption  of  an  individual  eiphertext  impossible, 
thus  preserving  the  privaey  of  the  individual  meters.  Eaeh  meter  knows  the  publie  key 
of  the  sink  node.  This  is  a  slight  simplifieation  of  the  protoeol  in  the  original  paper  but 
is  sufheient  for  the  analysis  in  this  ehapter.  The  following  steps  outline  the  protoeol  to 
aggregate  the  usage  data  for  all  meters  at  one  instanee  in  time: 


1.  Eaeh  meter  generates  -  1  random  values  and  sends  one  random  value  to  every 
other  meter  in  the  network. 

2.  Eaeh  meter  uses  the  N- 1  random  values  it  reeeived  plus  the  A^- 1  random  values 
it  sent  to  eome  up  with  the  noise  eomponent  for  eneryption. 

3.  Eaeh  meter  enerypts  the  eurrent  usage  information  using  the  sink’s  publie  key 
and  the  noise  eomponent  ealeulated  in  the  previous  step. 

4.  The  meters  send  their  respeetive  enerypted  information  to  the  sink. 

5.  The  sink  takes  all  N  enerypted  values,  homomorphieally  aggregates  the  values 
and  deerypts  to  obtain  the  final  result. 
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5.2.2  GJ  Protocol 

The  malicious  model  protocol  used  in  the  analysis  below  comes  from  Garcia  and 
Jacobs  [56].  Like  the  ET  protocol,  it  is  a  protocol  used  for  spatial  aggregation  of  usage 
data  preserves  privacy.  The  authors  never  explicitly  state  which  cryptosystem  to  use  but 
mention  Paillier  as  a  possibility,  which  is  used  in  this  chapter.  Each  meter  has  a  public- 
private  key  pair  associated  with  it,  and  the  meters  know  each  other’s  public  keys.  The  GJ 
protocol  works  as  follows: 


1 .  Meter  i  takes  its  current  usage  reading,  m„  and  splits  it  into  N  shares  (an ,  •  •  •  ,  a, a?) 
such  that  nii  =  atj  mod  n  (where  n  is  a  large  number  known  to  all  meters). 

2.  Meter  i  then  encrypts  each  share  using  a  different  meter’s  public  key,  dij  = 
E(aij,  PKj),  except  for  its  own  share  a,-,. 

3.  The  meters  send  the  encrypted  shares  to  the  sink  node. 

4.  The  sink  node  homomorphically  aggregates  the  shares  encrypted  with  the  same 
public  key.  In  other  words,  for  PKi  the  sink  aggregates  du,  d2h  •••  ,  dNi  and  sends 
the  aggregated  value  to  meter  i. 

5.  Meter  i  then  decrypts  the  aggregated  value  from  the  previous  step,  adds  in  and 
returns  the  result  to  the  sink  node. 

6.  The  sink  node  adds  up  all  the  values  received  from  the  meters  which  is  shown  to 
equal  the  aggregate  sum  of  the  usage  information. 


5.2.5  Timing  Measurements. 


Encrypt 

Decrypt 

Aggregate 

GenRnd 

Meter 

929ms 

903ms 

7.3ms 

0.15ms 

Sink 

98ms 

97  ms 

0.47ms 

N/A 

Table  5.1:  Timing  for  homomorphic  encryption  operations. 


This  section  presents  results  on  the  computation  and  communication  requirements  for 
all  of  the  necessary  operations  in  the  ET  and  GJ  protocols.  These  include  the  time  to 
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encrypt  and  decrypt  using  Paillier,  to  homomorphically  add  two  ciphertexts,  to  transmit 
and  receive  the  various  message  types,  etc.  Section  5.5  uses  this  information  to  extrapolate 
the  communication  and  computation  requirements  of  the  full  protocols.  The  Paillier 
implementation  used  for  the  measurements  is  the  thep  library  (http://thep.googlecode.com/) 
which  is  written  in  Java  but  configured  to  perform  the  most  expensive  large  integer 
operations  using  GMP  (http://gmplib.org/)  for  better  performance.  The  keys  are  2048-bits 
and  the  timing  information  comes  from  the  over  500  runs  for  each  operation.  The  results 
are  shown  in  Table  5.1. 

For  communications,  assume  that  each  node  in  the  network  has  a  wireless  link  capable 
of  250kbps  throughput.  Furthermore,  assume  that  processing,  propagation  and  queuing 
delays  are  negligible  and  that  packet  headers  are  negligible  in  size  and  do  not  contribute 
significantly  to  the  size  of  the  overall  packet.  These  assumptions  are  justified  due  to  the 
simplicity  of  the  network.  Therefore,  the  only  delay  under  consideration  is  transmission 
delay.  Using  this  information,  the  estimated  time  to  transmit  a  128bit  random  number  is 
0.512  milliseconds  and  a  2048bit  ciphertext  takes  8.192  milliseconds. 

5.3  Multiparty  Computation  in  Smart  Metering 

Section  2.3  presents  a  brief  introduction  to  secure  multiparty  computation  (MFC). 
MFC  could  prove  to  be  an  important  tool  in  the  smart  grid  as  it  would  allow  meters  to 
perform  much  more  complex  computations  in  the  grid  without  compromising  the  privacy 
of  the  individual  parties,  but  there  has  been  little  research  in  applying  MFC  to  the  smart  grid 
to  date.  Danezis,  et  al.  [72]  present  a  protocol  for  privacy  preserving  billing  and  mention 
smart  metering  as  one  potential  application.  Their  protocols  use  many  of  the  building 
blocks  of  MFC  and  are  therefore  highly  related.  Thoma,  et  al.  [73]  apply  multiparty 
computation  techniques  to  the  smart  grid,  but  only  look  at  secure  summation  and  secure 
comparison.  Using  these  two  functionalities,  the  authors  propose  a  system  which  provides 
demand  management  and  billing  with  verification.  They  do  not  look,  however,  at  generic 
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multiparty  computation  which  can  compute  any  function.  Furthermore,  their  work  only 
looks  at  the  honest-but-curious  adversary  model  and  does  not  look  at  tradeoffs  between 
the  two  models.  Peter  et  al.  [74]  propose  using  MPC  for  smart  grid  computation  in  a 
slightly  different  model  than  the  one  considered  here.  This  work  builds  privacy-preserving 
computations  that  occur  in-network.  In  their  work,  Peter  et  al.  look  at  using  MPC  in  the 
outsourcing  model  where  they  assume  that  the  meters  have  access  to  computation  servers 
(e.g.,  the  cloud)  which  perform  the  computation  privately,  on  behalf  of  the  meters. 

In  contrast  to  previous  work,  generic  multiparty  computation  protocols  can  compute 
advanced  functionalities  such  as  standard  deviation,  statistical  hypothesis  tests,  etc. 
Benchmarks  for  MPC  are  measured  using  the  VIFF  (http://viff.dk)  framework.  VIFF 
provides  protocols  in  both  the  honest-but-curious  and  the  malicious  models.  This  section 
introduces  VIFF  and  presents  overviews  of  both  of  the  protocols  of  interest.  The  section 
also  presents  timing  measurements  for  the  critical  components  of  each  protocol  that  are 
used  later  use  to  understand  the  tradeoffs  in  adversary  models. 

5.3.1  Introduction  to  VIFF. 

This  section  presents  a  brief  overview  of  VIFF.  For  an  in-depth  guide  to  VIFF,  see  [47] . 
VIFF  is  written  in  Python  and  allows  a  developer  to  specify  multiparty  computations  using 
a  simple  API  and  a  runtime  environment  that  handles  all  the  complex  operations  necessary 
to  carry  out  the  MPC.  VIFF  includes  runtimes  which  are  secure  in  both  the  honest-but- 
curious  model  as  well  as  the  malicious  model  and  assumes  an  asynchronous  network. 

When  using  VIFF,  the  four  main  commands  are  input,  output,  multiply,  and  add. 
input  allows  a  party  to  enter  their  input  to  the  computation.  It  uses  secret  sharing  to 
securely  split  an  input  5  into  Si,  S2, . . . ,  s„  such  that  any  t  of  those  shares  can  be  combined 
to  recover  the  original  value.  The  shares  are  then  distributed  to  the  other  parties,  output 
allows  the  authorized  parties  to  learn  the  value  that  corresponds  to  a  previously  secret 
shared  value.  In  other  words,  when  output  is  called  on  s,  then  the  parties  would  reveal 
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their  shares  of  s  to  the  authorized  parties,  add  allows  us  to  add  together  two  secret  shared 
values  such  that  each  party  has  a  share  of  the  result.  For  example,  to  compute  5  =  a+b,  each 
party  should  end  up  with  a  share  of  5  (say  5,)  without  the  values  of  a,  b,  or  5  being  revealed. 
Similarly,  multiply  results  in  each  party  holding  a  share  of  s  such  that  s  =  ab  without 
revealing  any  of  the  values.  Given  these  four  commands,  any  arithmetic  circuit  can  be 
computed.  To  compute  /,  represent  it  as  an  arithmetic  circuit  built  up  of  add  and  multiply 
gates.  Secret  share  the  inputs  among  the  parties  and  use  add  when  at  each  add  gate  and 
multiply  for  each  multiplication  gate.  When  the  circuit  is  fully  executed,  use  output  on  the 
final  gate(s)  of  the  circuit.  VIFF  runtimes  implement  the  necessary  protocols  to  carry  out 
these  four  commands.  The  specific  runtimes  of  interest  are  vijf.passive.PassiveRuntime  and 
vijf.  active. Activ eRuntime .  The  PassiveRuntime  is  secure  in  the  honest-but-curious  model 
for  t  <  nil  corrupted  parties.  The  Activ  eRuntime  is  secure  in  the  malicious  model  for 
t  <  nl3  corrupted  parties.  The  subsequent  sections,  present  details  on  how  these  protocols 
work  as  they  form  the  basis  of  the  analysis  presented  in  this  chapter. 

5.3.2  Timing  Measurements  (honest-but-curious). 

Table  5.2:  Coefficients  for  timing  estimation  polynomial  of  HbC  model  operations  (y  - 
C2X  +  c\  with  y  and  c\  in  milliseconds,  C2  in  milliseconds/party,  x  is  number  of  parties). 


input 

output 

add 

multiply 

C2 

Cl 

C2 

Cl 

Cl 

C2 

Cl 

Meter 

1.178 

-1.019 

0.056 

0.289 

0.07 

1.234 

-0.66 

Sink 

0.043 

-0.036 

0.003 

0.01 

0.002 

0.049 

-0.026 

To  understand  the  communication  and  computation  requirements  of  PassiveRuntime, 
which  leads  to  the  timing  measurements  for  the  runtime,  consider  how  the  four  commands 
listed  in  Section  5.3.1  operate.  Table  5.2  shows  timing  measurements  for  the  commands 
(not  including  communication  time).  For  the  add  operation,  the  table  gives  the  time  to  add 
two  numbers.  The  other  commands  are  not  as  simple.  Note,  however,  that  the  remaining 
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three  are  of  linear  complexity  (in  the  number  of  parties),  so  a  polynomial  fit  {c2X  +  Ci)  can 
be  used.  The  table  gives  the  coefficients  of  the  polynomial. 

The  input  command  uses  Shamir  secret  sharing  (SSS)  [42]  to  split  the  input  5  into  n 
different  shares  (^i, . . . ,  5„)  such  that  any  t  +  1  of  the  shares  can  be  used  to  recover  5.  To 
do  this,  party  p,  chooses  a  random  polynomial  o-{x)  =  s  +  rix  +  r2X^  +  •  •  •  +  where 
s  is  the  secret  to  be  shared  and  each  r,  is  a  random  value  from  some  finite  field,  p,  then 
computes  the  shares  Sj  =  cr(j)  for  j  from  1  to  n  and  sends  Sj  to  party  pj  and  keeps  one 
share  for  himself.  With  fewer  than  t  +  1  shares  it  is  not  only  impossible  to  recover  s  but 
additionally  no  information  about  s  is  leaked.  The  communication  cost  of  this  command 
is  the  cost  of  communicating  the  n  shares.  The  computation  cost  is  simply  the  cost  of 
generating  random  coefficients  then  evaluating  the  polynomial  n  times,  output  is  really  the 
reverse  of  input.  At  least  t  shares  must  be  communicated  to  the  parties  who  are  allowed 
to  learn  the  output.  Those  parties  then  use  the  shares  to  reconstruct  the  output  value.  If  k 
parties  are  allowed  to  learn  the  output,  the  communication  cost  is  that  of  communicating 
kn  shares.  The  computation  cost  is  that  of  reconstructing  the  shares.  SSS  uses  Lagrangian 
interpolation  for  reconstruction,  which  is  quite  fast.  Given  at  least  t+ 1  shares  reconstruction 
of  s  is  computed  by  the  following  equation. 


and  then  s  = 


The  add  command  is  very  simple.  To  compute  f  =  d  +  e,  where  each  party  i  holds 
shares  J,  and  due  to  the  nature  of  SSS,  they  simply  compute  /  =  J,  +  e,-.  The  shares 
fi  are  proper  shares  oi  f  =  d  +  e.  Therefore,  the  computation  requirements  of  add  are 
very  small  and  there  is  no  communication  required,  multiply,  on  the  other  hand,  is  a  more 
expensive  operation.  To  compute  shares  of  /  =  de,  each  party  first  computes  f'  = 
then  secret  shares  f'  so  that  party  j  has  fk.  Each  party  j  then  uses  the  shares  f[j,  fy, . . . ,  fk 
to  reconstruct  fj,  which  is  a  proper  share  of  /.  Thus  the  communication  cost  is  that  of 
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communicating  the  shares  and  the  eomputation  eost  is  that  of  generating  n  shares  and 
reeonstrueting  with  n  shares.  This  protoeol  is  seeure  in  the  HbC  model  [75]. 

5.3.3  Timing  Measurements  (malicious). 

The  VIFF  malieious  model  protoeol  is  presented  in  [50].  Table  5.3  presents  the  timing 
measurements  for  the  protoeol.  The  table  omits  add  and  output  as,  for  the  sizes  of  parties 
eonsidered  here,  they  are  roughly  the  same  as  in  the  passive  runtime.  When  working  in 
the  malieious  model,  a  new  eommand  (genXriple)  is  used.  Furthermore,  the  eommands 
are  used  in  two  phases,  preproeessing  and  eomputation.  The  genXriple  has  quadratie 
eomplexity  (in  the  number  of  parties)  so  the  table  presents  the  eoeffieients  of  the  equation 
y  =  +  C2X  +  Cl  in  the  table. 

Table  5.3:  Coeffieients  for  timing  estimation  polynomial  of  malieious  model  operations 
(y  =  +  C2X  +  Cl  with  y  and  ci  in  milliseconds,  C2  in  milliseconds/party,  C3  in  milliseconds/party 

squared,  x  is  number  of  parties). 


genXriple 

input 

multiply 

Meter 

Sink 

C3  C2  Cl 

0.141  4.879  -3.209 
0.002  0.181  -0.114 

C2  Cl 

1.178  -1.019 
0.043  -0.036 

C2  Cl 

0.112  0.578 
0.006  0.02 

The  preproeessing  phase  handles  genXriple  and  input.  genXriple  generates 
shares  of  multiplieation  triples,  i.e.,  values  d,e,f  sueh  that  /  =  de,  for  eaeh  party. 
Sueh  multiplieation  triples  ean  be  generated  using  hyperinvertible  matriees  [76]  or 
pseudorandom  seeret  sharing  [77]  with  the  latter  being  more  efheient  for  small  values  of 
n  [50],  thus  the  timing  measurements  here  use  the  hyperinvertible  matriees  method,  input 
is  also  slightly  modified  from  the  passive  runtime.  Instead  of  seeret  sharing  the  input,  the 
protoeol  instead  seeret  shares  a  random  value  r  and  broadeast  the  value  plus  the  input  if 
preproeessing  terminates  suecessfully. 

The  eomputation  phase  is  where  the  other  eommands  take  plaee.  add  and  output 
are  earned  out  exaetly  as  in  the  passive  runtime,  mult,  however,  is  different.  For  eaeh 
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multiplication  that  must  be  performed,  each  party  uses  the  shares  of  a  multiplication  triple 
from  the  preprocessing  phase,  say  du  .  Furthermore,  each  party  has  shares  of  the  values 
to  be  multiplied,  say  bi.  The  result  of  mult  should  be  a  share  of  g  =  ab  for  each  party. 
Let  d[  =  a,  -  and  e\  =  bi  -  e,.  The  parties  then  publicly  reconstruct  d' ,  e'  using  output. 
Each  party  then  computes  gi  =  d'e'  +  d'ei  +  die'  +  fi  which  is  their  share  of  g  =  ab.  Thus, 
the  communication  and  computation  requirements  of  mult  are  almost  entirely  based  on  the 
requirements  for  output  which  is  called  twice. 

5.4  Transferable  Multiparty  Computation  in  Smart  Metering 

In  Chapter  3  presents  the  honest-but-curious  and  malicious  model  protocols  for 
transferable  multiparty  computation.  Recall  that  T-MPC  builds  upon  existing  MFC 
protocols,  like  those  listed  in  the  previous  section,  by  adding  two  additional  functions, 
transfer  and  recombine  transfer.  These  functions  can  be  used  to  privately  transfer 
computations  between  sets  of  parties.  Section  4.1  describes  how  these  protocols  have  been 
applied  to  the  smart  grid  to  enable  much  more  efficient  computations  with  much  higher 
scalability. 

5.4.1  Timing  Measurements  (honest-but-curious). 

The  timing  information  for  HbC  T-MPC  is  computed  in  a  similar  manner  as  what  was 
done  previously  for  MFC.  In  fact,  the  input,  output,  add,  and  multiply  functions,  are  the 
same,  so  the  same  timing  measurements  can  be  used.  The  function  transfer  is  called  by 
all  parties  in  one  set  in  order  to  transfer  an  intermediate  value  to  a  new  set  of  parties.  The 
parties  call  transfer  with  their  share  of  the  intermediate  value  as  input,  transfer  creates 
subshares  of  the  share  by  using  Shamir  secret  sharing  with  the  threshold  set  to  the  size  of 
the  new  set  of  parties  divided  by  two.  Each  party  in  the  original  set  then  sends  one  subshare 
of  their  intermediate  value  to  each  party  in  the  new  set. 

Upon  receiving  all  the  subshares,  each  party  in  the  new  set  calls  recombine  transfer 
on  those  subshares,  recombine  transfer  runs  Lagrangian  interpolation  on  these  subshares 
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to  get  a  new  share.  Thanks  to  the  linear  nature  of  SSS,  the  new  shares  held  by  the  parties  in 
the  new  set  form  shares  of  the  intermediate  value  transferred  by  the  parties  in  the  old  set.  If 
there  are  multiple  intermediate  values  that  need  to  be  transferred,  these  two  protocols  can 
be  called  multiple  times. 

5.4.2  Timing  Measurements  (malicious). 

T-MPC  in  the  malicious  model  uses  the  malicious  model  MPC  protocols  from 
above.  For  the  transfer  and  recombine  transfer  protocols,  recall  that  a  result  due  to 
McEliece  and  Sarwate  makes  reconstruction  robust  [51].  They  noted  that  Shamir  secret 
sharing  is  basically  a  special  form  of  Reed-Solomon  codes.  In  particular,  if  the  dealer 
is  trusted  and  the  fraction  of  corrupt  parties  is  less  than  one  third,  then  a  Reed-Solomon 
decoder  can  be  used  instead  of  Lagrangian  interpolation  for  reconstruction.  In  this  case, 
reconstruction  is  “robust”,  i.e.,  guaranteed  to  return  the  correct  value.  Using  this  result, 
the  transfer  protocol  for  the  malicious  model  is  the  same  as  what  was  used  in  the  HbC 
case.  For  recombine  transfer,  Reed-Solomon  decoding  replaces  Lagrangian  interpolation. 
Specifically,  since  the  size  of  the  subgroups  considered  here  are  will  be  fairly  small,  a  brute 
force  Reed-Solomon  decoder  is  sufficiently  fast.  The  malicious  adversary  model  for  (T- 
)MPC,  assumes  a  threshold  of  n/3  for  the  number  of  corrupt  parties.  The  result  of  McEliece 
and  Sarwate  described  above  requires  an  honest  dealer.  Eor  T-MPC,  however,  this  is  not 
necessary.  To  see  that  this  is  not  an  issue,  consider  where  the  subshares  come  from.  Each 
party  in  the  new  set  receives  one  subshare  from  each  party  in  the  old  set.  Therefore,  there  is 
no  single  dealer  of  the  subshares.  The  “trusted  dealer“  requirement  is  taken  care  of  by  the 
fact  that  collectively,  the  old  set  of  parties  acts  as  a  trusted  dealer.  Specifically,  each  party 
in  the  new  set  is  guaranteed  to  receive  no  more  than  n/3  corrupt  subshares.  Eor  timing 
recombine  transfer,  simply  multiply  the  timing  information  for  output,  from  above,  by 
the  number  of  times  required  to  guarantee  robust  reconstruction. 
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5.5  Analysis 


5.5.1  Homomorphic  encryption  based  aggregation  protocols. 

Using  the  descriptions  of  the  aggregation  protocols  from  Section  5.2  one  can 
determine  the  time  required  to  run  the  protocol  for  any  number  of  nodes  in  the  network. 
This  is  useful  in  understanding  the  tradeoffs  in  the  adversary  models  as  it  gives  a  real 
world  sense  as  to  the  size  of  the  network  that  each  protocol  can  support.  Note  that 
overall  asymptotic  complexities  will  not  capture  this  information  as,  for  example,  both 
aggregation  protocols  studied  here  have  quadratic  complexities  overall  (communication 
plus  computation).  Figure  5.2  shows  the  results  of  this  experiment. 


Aggregation  Protocol  Execution  Time 


Figure  5.2:  Size  vs.  execution  time  for  aggregation  protocols. 


As  expected  the  time  to  execute  the  GJ  protocol  is  significantly  higher  than  the  FT 
protocol.  What  is  really  interesting  about  this  graph,  however,  is  that  it  gives  us  an 
idea  of  the  size  of  network  or  the  granularity  of  usage  information  that  can  be  achieved 


81 


using  the  more  expensive  yet  more  secure  GJ  protocol.  For  example,  if  a  sink  desires 
usage  information  every  five  minutes,  the  network  size  can  be  up  to  around  140  meter 
nodes.  On  the  other  hand,  if  a  sink  has  networks  of  around  50  nodes,  the  protocol 
can  be  run  as  often  as  every  60  seconds  and  still  use  the  malicious  model  protocol.  Of 
further  interest  is  which  portion  of  the  protocol  contributes  most  to  the  time  to  complete 
protocol  execution.  For  the  FT  protocol,  once  the  system  size  exceeds  43  metering  nodes, 
communicating  the  random  values  contributes  most  to  the  execution  time.  Prior  to  that, 
encryption  contributes  the  most.  For  the  GJ  protocol,  encryption  contributes  the  most  to 
execution  time  up  until  the  network  reaches  1 14  nodes,  at  which  point  communicating  the 
meter  value  shares  contributes  most  to  the  execution  time.  Therefore,  for  large  smart  meter 
networks,  increasing  communication  bandwidth  will  have  the  biggest  effect  on  execution 
time  for  both  the  ET  and  GJ  protocols. 

5.5.2  MPC  Protocols. 

In  order  to  understand  better  the  application  of  MPC  protocols  (and  their  correspond¬ 
ing  adversary  models)  to  the  smart  grid,  the  analysis  in  this  section  looks  at  computing 
the  sum,  standard  deviation,  and  neighborhood  standard  deviation.  The  sum  computed  is 
identical  to  the  sum  that  the  aggregation  protocols  ET  and  GJ  compute  and  therefore  makes 
an  interesting  comparison  with  those  works.  When  computing  the  standard  deviation,  the 
input  for  the  meters  is  their  current  reading  while  the  input  for  the  sink  is  the  current  mean. 
This  avoids  computing  a  division  in  the  multiparty  computation  which  is  a  very  expensive 
operation.  Furthermore,  the  typical  standard  deviation  equation  involves  a  square  root  and 
a  division,  but  to  avoid  the  square  root  and  the  division,  only  the  numerator  is  computed 
reveald  to  the  sink  who  can  compute  the  rest.  For  the  regular  standard  deviation,  the  values 
Xi  are  the  individual  meter’s  readings  for  the  neighborhood  standard  deviation,  the  Xi  val¬ 
ues  in  the  equation  are  the  sum  of  all  meters  in  a  neighborhood.  To  simplify  the  analysis, 
let  each  neighborhood  contain  100  meters.  The  neighborhood  standard  deviation  would 
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be  important  to  know  in  the  smart  grid  as  a  high  standard  deviation  would  mean  a  lot  of 
variability  across  neighborhoods,  which  could  identify  prime  targets  for  more  optimized 
generation  or  distribution  methods,  or  could  indicate  the  need  for  more  detailed  analysis. 

Figure  5.3  plots  the  time  to  complete  a  protocol  execution  for  each  of  the  computations 
and  for  each  of  the  adversary  models.  Furthermore,  Table  5.4  shows  the  maximum  number 
of  meters  each  computation  can  support  in  under  fifteen  minutes.  Interestingly,  going 
from  honest-but-curious  to  malicious  when  only  computing  additions  almost  comes  for 
free.  Additionally,  using  MFC  to  compute  the  sum  is  faster  than  using  homomorphic 
encryption.  Prior  work  on  cryptographic  methods  for  privately  computing  sums  in  the 
smart  grid  has  often  focused  on  additive  homomorphic  ciphers.  Yet  this  work  shows  that 
in  fact  MFC  would  be  a  faster  alternative.  As  seen  with  the  aggregation  protocols,  moving 
from  the  honest-but-curious  model  to  the  malicious  model  comes  with  a  fairly  significant 
performance  cost.  As  evidenced  by  the  neighborhood  standard  deviation  computation, 
however,  if  the  number  of  multiplications  can  be  limited,  interesting  functions  on  fairly 
large  networks  are  possible. 


Table  5.4:  Maximum  number  of  meters  for  less  than  15  minutes  of  computation  time. 


Sum  Std  Dev  Std  Dev 

(Neighborhood) 

Honest-but-Curious 

Malicious 

2647  777  2512 

2646  172  756 

5.5.3  T-MPC  Protocols. 

Figure  5.4  plots  the  results  of  the  experiment  comparing  HbC  T-MPC  and  malicious 
model  T-MPC  for  both  the  sum  function  and  the  standard  deviation.  As  expected,  executing 
the  computation  using  a  malicious  model  protocol  is  much  more  expensive.  However,  the 
network  sizes  in  this  case  are  still  very  large,  illustrating  the  efficiency  of  T-MPC.  From  the 
figure,  notice  how  the  growth  of  the  HbC  executions  and  the  malicious  model  executions 
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Timing  for  MPC  protocols 


Figure  5.3:  Network  size  vs  exeeution  time  for  MPC  protoeols. 


are  very  similar.  This  means  that  the  expeeted  overhead  of  going  from  an  HbC  protoeol  to 
a  malicious  protocol  is  independent  of  the  network  size.  Note  that  this  is  the  case  for  both 
sum  and  standard  deviation. 

5.5.4  HE  vs  MPC  vs  T-MPC. 

To  finish  the  analysis  by  comparing  the  three  types  of  protocols  of  interest,  homomor¬ 
phic  encryption,  multiparty  computation,  and  transferable  multiparty  computation.  The 
metric  for  comparing  these  protocols  is  the  percent  overhead  when  moving  from  an  HbC 
protocol  to  a  malicious  model  protocol.  This  will,  in  essence,  tell  us  the  cost  of  moving  to 
a  stronger  adversary  model  and  will  have  a  significant  impact  on  whether  or  not  it  makes 
sense  to  use  an  HbC  protocol  with  anti-tamper  protections  or  to  simply  use  a  malicious 
model  protocol  in  the  first  place.  Protocols  that  minimize  this  metric  would  be  nice  as  then 
system  designers  could  use  malicious  model  protocols  in  the  first  place,  simplifying  system 
design  from  an  anti-tamper  prospective. 
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Timing  for  T-MPC  protocols 


Begin  with  the  summation  funetion  and  plot  the  pereent  overhead  for  inereasingly 
larger  networks  in  Figure  5.5.  As  before,  MFC  has  praetieally  no  overhead  when  moving 
to  a  malieious  model  protoeol  when  eomputing  sums.  T-MPC  maxes  out  around  750% 
overhead  for  summation.  While  this  is  a  signifieant  inerease,  reeall  that  T-MPC  protoeols 
are  still  the  fastest  in  either  model.  Exeeuting  the  summation  funetion  via  T-MPC  is  still 
order  of  magnitude  faster  than  MFC.  Homomorphie  eneryption  protoeols  have  the  highest 
overhead,  maxing  out  around  2500%,  but  then  going  baek  down  to  just  over  1500%. 

Figure  5.6  shows  a  similar  plot  for  the  standard  deviation  funetion.  This  plot  does 
not  inelude  homomorphie  eneryption  in  the  eomparison  as  the  Paillier  eipher  is  not  able 
to  eompute  that  funetion.  The  eomparison  here  is  stark.  T-MPC  has  roughly  a  eonstant 
overhead,  i.e.,  independent  of  network  size,  and  eomes  in  at  well  below  1000%.  MPC, 
however,  does  not  share  this  property.  The  overhead  eontinues  to  inerease  with  network 
size.  The  faet  that  the  overhead  in  moving  from  HbC  T-MPC  to  malieious  T-MPC  is 
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Percent  Overhead  for  Summation 


Figure  5.5:  Percent  overhead  for  HbC  vs  Malicious  when  computing  summation. 


independent  of  network  size  is  very  nice  when  trying  to  make  a  decision  between  HbC 
with  anti-tamper  and  malicious  model  protocols.  Network  growth  is  not  a  concern  as  the 
overhead  remains  constant  for  ever  larger  networks.  Combine  this  with  the  fact  that  T-MPC 
provided  the  fastest  execution  times,  and  there  is  good  evidence  to  suggest  that  T-MPC 
provides  the  best  balance  in  tradeoffs. 

5.6  Anti-Tamper  Protection 

Existing  smart  meters  provide  very  little  in  the  way  of  security  when  it  comes 
from  physical  attacks,  reverse  engineering,  password  extraction,  eavesdropping  and  meter 
spoofing  [78].  The  threat  of  attacks  has  to  make  one  wonder  if  protocols  secure  in  the 
honest-but-curious  adversary  model  are  sufficient  for  real  world  deployment  as  an  attack 
on  these  protocols  that  violates  the  adversary  model  could  render  the  security  mechanisms 
useless.  Anti-tamper  is  an  oft-cited  way  to  make  honest-but-curious  protocols  more 
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Percent  Overhead  for  Standard  Deviation 


Figure  5.6:  Percent  overhead  for  HbC  vs  Malicious  when  computing  standard  deviation. 


realistic  in  smart  metering  systems.  Both  hardware  and  software  anti-tamper  technologies 
exist  which  could  provide  meters  which  implement  honest-but-curious  protocols  with  the 
necessary  protections  to  prevent  violations  of  another’s  privacy.  In  fact,  one  would  expect 
some  combination  of  each  to  be  present  in  future  tamper  resistant  smart  meters  to  provide 
maximum  protection.  Designing  an  anti-tamper  solution  for  smart  meters  is  outside  the 
scope  of  this  paper.  Instead,  this  section  surveys  the  existing  literature  and  discusses  costs 
associated  with  existing  techniques.  Note  that  it  is  possible  that  one  could  build  honest- 
but-curious  smart  metering  protocols  for,  say,  aggregation  that  lend  themselves  well  to  AT 
protections  to  minimize  the  cost  of  adding  those  protections.  This,  however,  is  outside 
the  scope  of  this  work.  Therefore,  this  section  focuses  on  retrofitting  existing  protocols 
with  AT  protections  in  a  very  generic  fashion.  This  section  looks  at  AT  protections  that 
are  available  in  the  literature,  note  their  performance  costs,  assume  that  a  smart  meter  AT 
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protection  strategy  would  likely  use  a  few  of  these  protections.  Generic  AT  factors  represent 
using  a  few  of  these  protections  serially. 

Work  on  anti-tamper  protections  applied  to  smart  meters  is  scarce  and  presents  an 
interesting  problem.  While  there  is  significant  room  for  improvement  in  developing  a 
custom  anti-tamper  solution  for  smart  meter  devices,  this  is  an  exercise  left  to  future 
work.  McLaughlin  et  al.  [79]  propose  a  software  technique  for  smart  meters  to  promote 
firmware  diversity  that  enhances  a  meter’s  ability  to  thwart  compromise.  Their  system  adds 
extra  cycles  to  computation  in  order  to  encrypt  and  decrypt  addresses  during  execution. 
The  authors  argue  that  since  smart  meter  workloads  are  primarily  I/O  intensive  that  these 
protections  should  not  decrease  computation  performance  significantly.  That  said,  using 
privacy  preserving  protocols  on  the  meters  would  greatly  increase  a  meter’s  computing. 
That  said,  their  work  does  not  deal  with  physical  tampering  of  either  hardware  or  software, 
something  which  would  be  necessary  to  thwart  attacks  on  privacy. 

The  most  common  hardware  approach  to  increasing  a  device’s  tamper  resistance  is 
to  use  a  trusted  processor  [80].  These  tamper-resistant  processors  can  perform  enough 
functionality  to  verify  a  system’s  components  and  software  at  boot-up  or  potentially  during 
operation.  The  cost  of  these  devices  can  range  from  the  tens  of  dollars  to  the  thousands, 
but  smart  cards  are  becoming  a  cheap,  viable  alternative.  In  addition  to  increased  hardware 
costs,  integration  can  also  be  an  expensive  cost  up  front.  Real-time  intrusion  monitoring  is 
also  a  potential  avenue  for  anti-tamper  in  smart  meters.  In  fact,  some  newer  chips  designed 
for  smart  metering  have  this  functionality  already  built  in  [81].  On  board  sensors  can  check 
for  physical  intrusions  and,  when  detected,  can  trigger  other  protection  mechanisms  (e.g., 
erase  memory,  warn  the  sink,  etc).  This  would  require  a  battery,  as  the  mechanism  would 
have  to  function  even  if  power  is  lost.  For  large  deployments,  maintenance  costs  could  be 
significant  even  at  low  false  positive  rates. 
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Software  based  anti-tamper  protections  require  no  additional  hardware  and  can  easily 
be  changed/updated  as  needed.  The  problem  with  these  sorts  of  protections  is  that 
they  add  computation  overhead  and  therefore  would  slow  down  execution.  One  such 
technique,  software  encryption,  aims  to  prevent  an  attacker  from  easily  reverse  engineering 
or  tampering  with  the  software  by  encrypting  and  only  decrypting  a  certain  function 
as  needed.  This  of  course  increased  computation  time  as  decryption  must  occur.  In 
one  example  system,  computation  time  increased  by  up  to  a  factor  of  eight  [82].  Code 
obfuscation  is  another  technique  that  attempts  to  make  code  difficult  to  analyze.  If 
an  attacker  cannot  analyze  the  code  easily,  they  also  cannot  maliciously  modify  its 
functionality.  This  can  be  achieved  by  using  a  sequence  of  instructions  which  has  the 
same  effect  as  the  original  instruction.  Furthermore  adding  instructions  which  will  have  no 
effect  on  the  correctness  of  the  computations  performed  but  are  instead  aimed  to  confuse 
a  reverse  engineer,  is  another  method  of  code  obfuscation.  One  such  system  reported  a 
slowdown  factor  as  high  as  five  [83]. 

To  help  illustrate  how  anti-tamper  protections  contribute  to  the  discussion  of  tradeoffs 
between  adversary  models,  in  Figures  5.7,  5.8  and  5.9  plot  the  timing  values  of  the  protocols 
identified  previously  and  include  hypothetical  anti-tamper  computation  factors.  As  seen 
previously,  individual  AT  protections  can  result  in  a  5  to  8x  performance  hit.  Running  say 
two  to  three  of  these  serially  could  easily  lead  to  a  10  to  20x  performance  hit  for  the  entire 
system.  Figure  5.7  shows  that  with  an  anti-tamper  (AT)  factor  of  20x,  the  timing  of  the  FT 
protocol  approaches  that  of  the  GJ  protocol.  For  MFC,  the  contrast  is  even  more  stark.  For 
all  three  computations,  a  lOx  anti-tamper  factor  makes  the  honest-but-curious  protocols 
less  efficient  than  the  malicious  model  counterparts  for  up  to  some  number  of  meter  nodes. 
This  shows  that  under  certain  conditions,  MFC  honest-but-curious  protocols  operating 
under  tamper  protection  can  lose  their  benefit  of  being  less  cumbersome  protocols.  This  is 
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Homomorphic  Encryption  with  Anti-Tamper 


Figure  5.7:  Homomorphic  Encryption  aggregation  with  various  Anti-Tamper  (AT)  factors. 


further  illustrated  when  looking  at  the  T-MPC  protocols  as  shown  in  Figure  5.9.  In  both  the 
summation  and  standard  deviation  functions,  a  lOx  AT  factor  makes  the  HbC  protocol  less 
efficient  than  the  malicious  model  protocol. 

The  analysis  shows  that  care  must  be  taken  when  choosing  privacy  preserving 
protocols  for  smart  meter  networks  and  consider  the  entire  cost  of  that  choice.  Previous 
work  often  justified  the  use  of  the  honest-but-curious  adversary  model  by  assuming  anti¬ 
tamper  protections  could  be  added  to  make  the  security  guarantees  better  fit  the  real-world 
threat  model.  Under  certain  assumptions  about  anti-tamper  protections,  malicious  model 
protocols  may  be  more  efficient  in  the  first  place,  potentially  eliminating  the  need  for  anti¬ 
tamper  protections  entirely. 
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MPC  with  Anti-Tamper 


Figure  5.8:  Multiparty  Computation  (MPC)  timing  with  lOx  AT  factor. 


T-MPC  with  Anti-Tamper 


Figure  5.9:  Transferable  Multiparty  Computation  (T-MPC)  timing  with  lOx  AT  factor. 
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VI.  Conclusion 


Historically,  privacy  was  almost  implicit,  because  it  was  hard  to  find  and 
gather  information.  But  in  the  digital  world,  whether  it’s  digital  cameras  or 
satellites  or  just  what  you  click  on,  we  need  to  have  more  explicit  rules  -  not 
just  for  governments  but  for  private  companies.  -  Bill  Gates  [84] 

6.1  Summary 

How  private  data  is  used  is  changing  rapidly.  It  is  becoming  easier  for  private 
companies  and  governments  to  get  the  data  and  researchers  are  developing  new  ways  to 
use  the  data.  Some  of  the  benefits  to  increased  usage  of  private  data  are  explored  in  this 
dissertation.  Some  privacy  risks  are  well  understood.  Many,  however,  are  not  immediately 
obvious. 

Consider  a  recent  example  of  how  privacy  risks  were  not  understood  until  after  the 
fact.  In  2006,  Netflix  announced  a  contest  with  a  one  million  dollar  prize.  The  goal  of  the 
contest  was  to  develop  algorithms  to  recommend  movies  to  Netflix  users.  To  assist  with 
the  contest,  Netflix  released  a  dataset  containing  over  100  million  movie  ratings  from  over 
400  thousand  of  its  users.  Netflix  claimed  that  ’’all  customer  identifying  information  has 
been  removed”  from  the  dataset.  In  their  seminal  work,  Narayanan  and  Shmatikov  showed 
this  to  not  be  the  case,  however.  They  found  that  by  using  publicly  available  information 
on  the  internet,  they  were  able  to  de-anonymize  much  of  the  Netflix  dataset. 

The  Netflix  example  is  only  one  in  a  series  of  such  de-anonymization  attacks. 
Other  examples  include  de- anonymizing  Massachusetts  hospital  discharge  data  [85],  de¬ 
anonymizing  DNA  sequence  datasets  [86],  and  many  others. 

While  many  solutions  exist  to  such  problems,  the  technological  advances  discussed 
in  this  dissertation  focus  on  privacy-preserving  computation  techniques.  At  a  high  level, 
privacy-preserving  computation  means  that  inputs  to  a  computation  are  kept  private  from 
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all  except  the  original  owner  of  the  data  and  the  only  additional  information  that  is  learned 
by  any  party  is  the  output  of  the  computation  (and  the  information  that  can  be  directly 
inferred  by  that).  A  major  benefit  of  privacy-preserving  computation  techniques  is  that  the 
privacy  guarantees  are  highly  formalized.  Compare  this  with  anonymization  techniques 
used  by  Netfiix  and  in  other  scenarios,  where  the  privacy  guarantees  are  not  formalized. 

6.2  Contributions 

This  dissertation  presents  a  new  paradigm  for  privacy-preserving  computation, 
transferable  multiparty  computation  (T-MPC).  In  this  paradigm,  the  parties  running  the 
computation  are  allowed  to  change  over  time,  while  still  maintaining  high  security  and 
privacy  requirements.  Chapter  3  presents  protocols  for  T-MPC  in  both  the  honest-but- 
curious  (HbC)  and  the  malicious  adversary  models.  These  protocols  result  in  much 
more  efficient  and  scalable  privacy-preserving  smart  metering.  Under  a  smart  metering 
application,  T-MPC  enables  network  sizes  that  are  orders  of  magnitude  larger  that  was 
previously  possible.  This  helps  solve  a  significant  barrier  in  deploying  smart  metering. 

Under  another  application,  decentralized  reputation  systems,  T-MPC  is  used  to 
significantly  increase  information  availability.  Information  availability  is  crucial  in 
decentralized  reputation  systems,  as  without  reputation  information,  the  system  is  useless. 
T-MPC  enables  privacy-preserving  delegation  of  reputation  information  in  such  systems, 
something  that  had  never  before  been  achieved. 

When  deploying  a  privacy-preserving  system  in  the  real-world,  system  designers  must 
make  decisions  relating  to  the  security  of  the  protocols  they  choose  to  deploy.  Often  this  is 
defined  by  the  adversary  model  that  a  given  protocol  is  proven  secure  under.  The  analysis 
in  this  dissertation  shows  that  T-MPC  can  greatly  reduce  the  overhead  of  using  more  secure 
malicious  model  protocols.  Malicious  model  protocols  have  often  been  believed  to  be  far 
too  inefficient  for  real-world  use.  T-MPC  has  changed  this. 
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6.3  Recommendations  for  Future  Research 


Chapter  1  discusses  a  number  of  high-level  areas  in  which  researchers  are  applying 
privacy-preserving  computation  techniques  to  solve  important  privacy-related  issues.  This 
illustrates  the  broad  nature  of  privacy  concerns  and  the  state  of  practical  privacy-preserving 
computation.  Future  research  conducted  in  the  areas  of  theory  and  application  are  necessary 
to  further  adoption  and  use  in  industry.  The  following  are  of  particular  interest,  however: 

1.  Protocols:  Recent  advances  in  MPC  have  focused  on  the  case  of  a  dishonest 
majority.  The  T-MPC  protocols  in  this  dissertation  focus  on  honest  majority 
scenarios,  with  the  exception  of  the  protocol  specified  in  Section  4.2,  which  falls 
under  the  HbC  model.  A  significant  advancement  would  be  to  apply  the  T-MPC 
paradigm  to  a  recent  dishonest  majority  protocol  such  as  SPDZ  [43].  The  foundation 
for  such  a  T-MPC  enhancement  could  come  from  the  work  in  Section  4.2  as  both  use 
additive  secret  sharing,  but  the  adaptation  is  non-trivial. 

2.  Applications:  Any  of  the  application  domains  outlined  in  Chapter  1  would  be  of 
great  interest  for  applying  T-MPC,  and  there  could  be  significant  gains  in  any  of 
these  using  T-MPC.  One  additional  area  of  interest  is  outsourced  privacy-preserving 
computation.  As  more  computation  moves  to  the  cloud,  privacy  issues  begin  to 
become  very  real.  T-MPC  could  be  used  to  enhance  availability  of  such  a  service 
by  privately  transferring  information  as  computation  servers  go  offline.  Another 
interesting  application  of  T-MPC  related  to  this  application  domain  is  in  computation 
hopping.  In  other  words,  the  set  of  servers  running  the  computation  changes  over 
time  so  an  attacker  has  a  hard  time  knowing  who  to  attack. 

3.  Programming  Constructs:  Much  of  the  privacy-preserving  computation  literature 
assumes  that  computations  are  specified  as  (boolean  or  arithmetic)  circuits.  This 
requires  a  lot  of  domain- specific  knowledge  by  the  implementer.  Researchers  have 
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developed  methods  to  alleviate  this  by  providing  constructs  that  better  reflect  typical 
development  environments.  As  there  will  likely  be  specific  construct  relating  to  T- 
MPC  (e.g.,  when  to  transfer,  when  is  the  optimal  point  in  a  program  to  transfer,  etc), 
a  number  of  significant  contributions  could  be  made  to  allow  developers  to  build 
applications  that  use  T-MPC  using  programming  constructs  they  are  already  familiar 
with. 
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